Network working group D. Cheng
Internet Draft Huawei Technologies
Category: Standards Track
Expires: September 10, 2011
March 11, 2011
NAT44 with Pre-allocated Ports
draft-cheng-behave-nat44-pre-allocated-ports-02
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 10, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Cheng Expires September 10, 2011 [Page 1]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
carefully, as they describe your rights and restrictions with
respect to this document.
Abstract
This document specifies a NAT44 operation model where external
ports are pre-allocated per subscriber. The NAT44 function is
deployed in carrier's networks also known as CGN. Three new RADIUS
attributes are proposed to support that operation for
configuration and billing purpose. Translation logging on a
NAT44 device is significantly reduced with this operational model.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
Table of Contents
1. Introduction....................................................2
2. Terminology.....................................................4
3. Operation.......................................................4
3.1. An Example.................................................6
4. RADIUS Attributes...............................................7
4.1. Nat-Max-Port-Count Attribute...............................8
4.2. Nat-Alloc-Port-Range Attribute.............................8
4.3. Nat-Alloc-Port-Range Attribute.............................9
5. Table of Attributes............................................11
6. Security.......................................................11
7. IANA Considerations............................................11
8. Acknowledgements...............................................11
9. References.....................................................11
9.1. Normative References......................................11
9.2. Informative References....................................12
10. Authors' Addresses............................................12
1. Introduction
There are currently several IPv4 address sharing mechanisms such as
NAT444([I-D.shirasaki-nat444-isp-shared-addr]) and DS-Lite
([I-D.ietf-softwire-dual-stack-lite]) because of shortage of IPv4
addresses. When an IP flow is initiated from a user side and its
source IPv4 address is replaced by a shared IPv4 address at a NAT44
device, the source TCP/UDP port in the IPv4 packet is also replaced
by one dynamically allocated by the NAT44 device, most likely from a
Cheng Expires September 10, 2011 [Page 2]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
single port pool, and as such, the IP flow can be uniquely
identified end-to-end. A NAT44 device usually randomizes the port
selection, and this practice helps enhance the security in the
network.
However, such practice increases the translation logging task on
a NAT44 device. Note each NAT44 translation log entry corresponds
to a unique IP flow and typically includes the destination address
and port, translated source address (the shared IPv4 address),
translated source port (the one allocated by the NAT44 device),
original source address and port, etc. It requires large volume of
storage and also processing capacity on a NAT44 device for such
operation (see Section 11 of
[I-D.ietf-intarea-shared-addressing-issues]).
This document proposes an operation model for NAT44, where a
maximum number of TCP/UDP ports is configured on a RADIUS server
for each subscriber as part of the user profile. This information
is passed to the NAT44 device where a subscriber is attached. The
NAT44 device dynamically pre-allocates a port range for a given
subscriber, and the number of ports in that range must be less or
equal to the maximum number of ports that has been assigned. When
a new IP flow arrives from the subscriber, the NAT44 device then
allocates dynamically a port from the pre-allocated port range for
the subscriber, also assigns a shared IPv4 address. The NAT44
device would need to pass the pre-allocated port range along with
the shared IPv4 address to the RADIUS server and the information
may be used for billing purpose. For any contiguous ports that are
no longer needed for a subscriber, the NAT44 device would pass the
associated port range to the RADIUS server to update the actual port
range allocated for the specific user. The communication between the
NAT44 device and RADIUS server uses RADIUS protocol ([RFC2865]),
requiring NAS co-locates with the NAT44 device.
Note a NAT44 may pre-allocate more than one port ranges for any
given subscriber, as long as the total number of ports is less or
equal to the maximum number of ports configured on the RADIUS
server for that subscriber. The actual port pre-allocation is
entirely based on necessity during the operation, e.g., the first
or a new port range may be allocated when receiving the first IP
packet of a new IP flow sent by a subscriber, but the actual
algorithm behind this is out of the scope of this document.
Note also that the new configuration parameter, i.e., the maximum
number of ports on a RADIUS server for a subscriber only imposes a
limit for that subscriber on the usage of ports, and the actual
allocation and de-allocation of any port for that subscriber is
Cheng Expires September 10, 2011 [Page 3]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
entirely performed by the NAT44 device, as always so today.
This NAT44 port pre-allocation model using RADIUS service could
hopefully reduce substantially the intensity on a NAT44 device when
performing session based logging, while still able to conduct
port allocation with randomization.
To support this operation model, three new RADIUS attributes are
defined in this document as follows:
1) The Nat-Max-Port-Count attribute carries the maximum number of
TCP/UDP ports that a NAT44 device can use for a given subscriber
during the translation. The information is configured on a
RADIUS server and passed to a NAT44 device.
2) The Nat-Alloc-Port-Range attribute carries a block of contiguous
ports that a NAT44 device pre-allocates for a given subscriber
along with a shared IPv4 address. This information is passed
to a RADIUS server from the NAT44 device.
3) The Nat-Dealloc-Port-Range attribute carries a block of
contiguous ports that a NAT44 device previously allocated for
a given subscriber but no longer in use, along with a shared
IPv4 address. This information is passed to a RADIUS server
from the NAT44 device.
2. Terminology
This document introduces two terms as follows:
. Max port count
This is the maximum number of TCP/UDP ports for a given
subscriber, which can be used at a NAT44 device.
. Port range
This specifies a contiguous TCP/UDP ports, indicated by the
port with the smallest numerical number and the port with
the largest numerical number.
3. Operation
The per-subscriber based maximum port count is configured on
a RADIUS server, along with other user information such as
credentials. The value of the port count is based on service
Cheng Expires September 10, 2011 [Page 4]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
agreement and its specification is out of the scope of this
document.
A Network Access Server (NAS), located on a NAT44 device,
operates as a RADIUS client.
A subscriber initiates a service request, which is sent to the
NAT44 device that hosts a NAS, which in turn sends a RADIUS
Access-Request message to a RADIUS server. If the server approves
the request after validation, it replies with an Access-Accept
message back to the NAS, where the message includes a list of
parameters for the associated IP session but also the maximum
number of ports as defined in this document. While some parameters
are passed to the subscriber, the maximum port count for that
subscriber is recorded on the NAT44 device.
Upon obtaining the maximum port count for a subscriber, the NAT44
device pre-allocates some ports for the subscriber that are used
during NAT44 procedure when receiving IPv4 flows sent from that
subscriber. The NAT44 may allocates one or more port ranges, where
each range contains a contiguous ports, and the total number of
ports must be less or equal to the maximum port count that it
records for that subscriber. A NAT44 device may choose to allocate
a small range of ports, and allocate more at a later time as
needed; such practice is good because its randomization in nature.
At the same time, the NAT44 device also needs to decide the shared
IPv4 address for that subscriber. The shared IPv4 address and the
pre-allocated port range are then passed to the RADIUS server.
When a subscriber initiates an IPv4 flow, the NAT44 device
randomly selects a port from the pre-allocated port range for that
subscriber to replace the original source port, along with the
replacement of the source IPv4 address by the shared IPv4 address.
At anytime, a NAT44 device may decide to "free" some contiguous ports
that have been allocated for a specific subscriber but not currently
in use, and with that, the NAT44 device must send the information of
the de-allocated port range along with the shared IPv4 address to the
RAIDUS server.
Figure-1 illustrates how RADIUS protocol is used to configure
the maximum number of ports for a given subscriber on a NAT44
device, and obtains the shared IPv4 address and pre-allocated
port range determined by the NAT44 device for that subscriber.
The NAT44 device later de-allocates a range of ports that no
longer used by the subscriber. The NAT44 device sends the
Cheng Expires September 10, 2011 [Page 5]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
information about pre-allocated port range and de-allocated
port range, respectively, to the RADIUS server.
User NAT44/NAS AAA
| | Server
| | |
|----Service Request------>| |
| | |
| |-----Access-Request -------->|
| | |
| |<----Access-Accept-----------|
| | (Nat-Max-Port-Count) |
| | |
|<---Service Granted ------| |
| (other parameters) | |
| | |
| (NAT44 external port |
| pre-allocation and |
| IPv4 address assignment) |
| | |
| |-----Accounting-Request----->|
| | (Nat-Alloc-Port-Range) |
| | |
| |-----Accounting-Request----->|
| | (Nat-Dealloc-Port-Range) |
DHCPv4/IPoPPP RADIUS
Figure 1: RADIUS Message Flow
3.1. An Example
An ISP assigns 1000 ports for the subscriber A based on a
service agreement. This number is the maximum number
of ports that can be used during NAT44 on a NAT44 device for A,
and is configured on a RADIUS server. When A registers with
the ISP's Internet service after required AAA procedure, the
RADIUS server passes the maximum port count (1000) to the NAT44
device that is co-located with a BNG that connects A to
the Internet.
The NAT44 device decides to pre-allocate a small port pool that
contains 40 contiguous ports, from 3500 to 3540, inclusively,
and also assign a shared IPv4 address 192.0.2.15, for A.
Cheng Expires September 10, 2011 [Page 6]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
The NAT44 device passes this port range (3500-3540) and the
shared IPv4 address 192.0.2.15 together to the RADIUS server using
Nat-Alloc-Port-Range attribute.
When A initiates a new IP flow that reaches the NAT44 device, the
original source IP address is replaced by 192.0.2.15, and the
source port is replaced by an available one that is randomly
selected in the port range, say port 3521.
If at a later time, the port pool (3500-3540) is close to
exhaustion, the NAT44 device pre-allocates a second port range
in a similar fashion, with the same or different number of
ports as in the first one, say from 8500 to 8800, inclusively.
The NAT44 then passes this port range (8500-8800) and IPv4
address 192.0.2.15 together to the RADIUS server using
Nat-Alloc-Port-Range attribute.
The NAT44 device may decide to de-allocate a pre-allocated
port pool (or a sub-range of it) based on any algorithm that is
outside of this document, but when that occurs, it needs to
send an update to the RADIUS server. In this example, suppose
at a later time, all ports in the port pool (8500-8800) are not
used and the NAT44 device decides to de-allocate all of them,
the NAT44 device sends this port range (8500-8800) along
with the IP address 192.0.2.15 together to the RADIUS server
using Nat-Dealloc-Port-Range attribute.
4. RADIUS Attributes
Three new RADIUS attributes are defined in this document in order
to achieve the NAT44 operational model as described in Section 3.
The Nat-Max-Port-Count attribute carries the maximum number of
TCP/UDP ports that a NAT44 device can use during NAT44 procedure
for a given subscriber. This maximum number of ports for a given
subscriber is configured on a RADIUS server as part of the user's
profile, and conveyed to the NAT44 device during the user
registration.
The Nat-Alloc-Port-Range attribute carries contiguous TCP/UDP
ports that a NAT44 device has pre-allocated to be used during
NAT44 procedure for a given subscriber, along with an IPv4
address, which may be shared with other subscribers. This
information is sent by the NAT44 device to the RADIUS server,
reflecting the actual ports currently allocated for the specific
subscriber.
Cheng Expires September 10, 2011 [Page 7]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
The Nat-Dealloc-Port-Range attribute carries contiguous TCP/UDP
ports that a NAT44 device has previously allocated, along with an
IPv4 address. All ports in the range are not used anymore by the
specific subscriber. This information is sent by the NAT44 device
to the RADIUS server to update the information of the actual ports
currently allocated for the specific subscriber.
4.1. Nat-Max-Port-Count Attribute
Description
This attribute specifies the maximum number of TCP/UDP ports that
is assigned to a NAT44 device corresponding to a specific
subscriber for NAT44 operation.
The Nat-Max-Port-Count MAY appear in an Access-Accept packet, and
it MAY also appear in an Access-Request packet as a hint by the
NAS to the server as a preference, although the RADIUS server is
not required to honor the hint.
The Nat-Max-Port-Count MAY appear in an Accounting-Request
packet.
The Nat-Max-Port-Count MUST NOT appear in any other RADIUS packets.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Max NAT Port Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBD
Length
4 octets.
Max NAT Port Count
The maximum number of TCP/UDP ports that can be used during
NAT44 operation for a given subscriber.
4.2. Nat-Alloc-Port-Range Attribute
Description
Cheng Expires September 10, 2011 [Page 8]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
This attribute contains a range of contiguous TCP/UDP ports,
which is pre-allocated by a NAT44 device for a given subscriber,
and an IPv4 address that may be shared with other subscribers.
The Nat-Alloc-Port-Range MAY appear in an Accounting-Request
packet.
The Nat-Alloc-Port-Range MUST NOT appear in any other RADIUS
packets.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | External Port Range Start |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External Port Range End | External IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External IPv4 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBD
Length
10 octets.
External Port Range Start
The smallest port number in a range of contiguous TCP/UDP
ports.
External Port Range End
The largest port number in a range of contiguous TCP/UDP
ports.
External IPv4 Address
The IPv4 address assigned to the associated user to be used
in the external realm.
4.3. Nat-Alloc-Port-Range Attribute
Description
Cheng Expires September 10, 2011 [Page 9]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
This attribute contains a range of contiguous TCP/UDP ports,
which was pre-allocated by a NAT44 device for a given subscriber
but will no longer be used, along with the IPv4 address previously
used together with ports in the range.
The Nat-Dealloc-Port-Range MAY appear in an Accounting-Request
packet.
The Nat-Dealloc-Port-Range MUST NOT appear in any other RADIUS
packets.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | External Port Range Start |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External Port Range End | External IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External IPv4 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBD
Length
10 octets.
External Port Range Start
The smallest port number in a range of contiguous
TCP/UDP ports.
External Port Range End
The largest port number in a range of contiguous
TCP/UDP ports.
External IPv4 Address
The IPv4 address assigned to the associated user to
be used in the external realm.
Cheng Expires September 10, 2011 [Page 10]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
5. Table of Attributes
The following table provides a guide as the attributes may be
found in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Accounting # Attribute
0-1 0-1 0 0 0-1 TBD Nat-Max-Port-Count
0 0 0 0 0+ TBD NAT-Alloc-Port-Range
0 0 0 0 0+ TBD NAT-Dealloc-Port-Range
The meaning of the above table entries is as follows:
0 This attribute MUST NOT be present.
0-1 Zero or one instance of this attribute MAY be present.
0+ Zero or more instances of this attribute MAY be present.
6. Security
Security problems of the RADIUS protocol are discussed in [RFC2865].
7. IANA Considerations
This document requires the assignment of three new RADIUS attribute
numbers for the following attribute:
Nat-Max-Port-Count
Nat-Alloc-Port-Range
Nat-Dealloc-Port-Range
8. Acknowledgements
Many thanks to Dan Wing who provided useful suggestions and comments.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Cheng Expires September 10, 2011 [Page 11]
Internet-Draft NAT44 with Pre-allocated Ports March 2011
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC2865,
June 2000.
9.2. Informative References
[I-D.ietf-softwire-dual-stack-lite] Durand, A., "Dual-Stack Lite
Broadband Deployments Following IPv4 Exhaustion",
draft-ietf-softwire-dual-stack-lite-07, March 2011.
[I-D.shirasaki-nat444-isp-shared-addr] Shirasaki, Y., Miyakawa, S.,
Nakagawa, A., Yamaguchi, J., and H. Ashida, "NAT444 addressing
models", draft-shirasaki-nat444-isp-shared-addr-05, January 2011.
[I-D.ietf-intarea-shared-addressing-issues] M. Ford, M. Boucadair,
A. Durand, P. Levis, P. Roberts,
draft-ietf-intarea-shared-addressing-issues-05, March 2011.
10. Authors' Addresses
Dean Cheng
Huawei Technologies,
2330 Central Expressway, CA 95050, USA
Phone:+1 408 330 4754
Email: dean.cheng@huawei.com
Cheng Expires September 10, 2011 [Page 12]