Internet Engineering Task Force                        S. Perreault, Ed.
Internet-Draft                                                  Viagenie
Intended status: BCP                                         I. Yamagata
Expires: September 13, 2011                                  S. Miyakawa
                                                      NTT Communications
                                                             A. Nakagawa
                                          Japan Internet Exchange (JPIX)
                                                               H. Ashida
                                                          March 12, 2011

           Common requirements for IP address sharing schemes


   This document defines common requirements for Carrier-Grade NAT (CGN)

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on September 13, 2011.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Perreault, et al.      Expires September 13, 2011               [Page 1]

Internet-Draft              CGN Requirements                  March 2011

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Requirements for CGN devices . . . . . . . . . . . . . . . . .  4
   4.  Logging  . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Bulk Port Allocation . . . . . . . . . . . . . . . . . . . . .  7
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  8
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
     9.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
     9.2.  Informative Reference  . . . . . . . . . . . . . . . . . .  9
   Appendix A.  Change Log (to be removed by RFC Editor prior to
                publication)  . . . . . . . . . . . . . . . . . . . . 10
     A.1.  Changed in -01 . . . . . . . . . . . . . . . . . . . . . . 10
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10

Perreault, et al.      Expires September 13, 2011               [Page 2]

Internet-Draft              CGN Requirements                  March 2011

1.  Introduction

   With the shortage of IPv4 addresses, it is expected that more ISPs
   may want to provide a service where a public IPv4 address would be
   shared by many subscribers (also known as NAT444
   [I-D.shirasaki-nat444-isp-shared-addr]).  Each subscriber is assigned
   a private address, and a NAT device situated in the ISPs network
   translates between private and public addresses.

   This is not to be considered a solution to the shortage of IPv4
   addresses.  It is a service that can conceivably be offered alongside
   others, such as IPv6 services or regular, un-NATed IPv4 service.
   Some ISPs started offering such a service long before there was a
   shortage of IPv4 addresses, showing that there are driving forces
   other than the shortage of IPv4 addresses.

   This document describes behavioural requirements that are to be
   expected of those ISP-controlled NAT devices.  Meeting this set of
   requirements will greatly increase the likelihood that subscribers'
   applications will function properly.

   Readers should be aware of potential issues that may arise when
   sharing public address between many subscribers.  See
   [] for details.

   This document builds upon previous works describing requirements for
   generic NAT devices.[RFC4787][RFC5382][RFC5508].  These documents
   still apply in this context.  What follows are additional
   requirements, to be satisfied on top of previous ones.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

   Readers are expected to be familiar with [RFC4787] and the terms
   defined there.  The following term is used in this document:

   Carrier-Grade NAT (CGN):  NAT device placed between a subscriber and
      the Internet in an ISP's network.  A CGN translates IP addresses
      and transport-protocol port numbers in the packets that it
      forwards across the border between the internal and external

         Note that the term "carrier-grade" has nothing to do with the
         quality of the NAT device; that is left to discretion of

Perreault, et al.      Expires September 13, 2011               [Page 3]

Internet-Draft              CGN Requirements                  March 2011

         implementors.  Rather, it is to be understood as a topological
         qualifier: the NAT device is placed in an ISP's network and
         translates the traffic of potentially many subscribers.  Those
         have limited or no control over the CGN, whereas they typically
         have full control over a NAT placed on their premises.

   Figure 1 summarises the network topology in which CGN devices

                                  |       Internet
                  ............... | ...................
                                  |       ISP network
                              ++------++  External realm
                  ........... |  CGN   |...............
                              ++------++  Internal realm
                                |    |
                                |    |
                                |    |    ISP network
                  ............. | .. | ................
                                |    |  Customer premises
                        ++------++  ++------++
                        |  CPE1  |  |  CPE2  |  etc.
                        ++------++  ++------++

                      Figure 1: CGN network topology

3.  Requirements for CGN devices

   What follows is a list of requirements for CGN devices.  They are in
   addition to those found in other documents such as [RFC4787],
   [RFC5382], and [RFC5508].

   REQ-1:  A CGN MUST have an "IP address pooling" behaviour of

   Justification:  This is a stronger form of REQ-2 from [RFC4787].

      Note that this requirement applies regardless of the transport
      protocol.  In other words, a CGN must use the same external IP
      address mapping for all sessions associated with the same internal
      IP address, be they TCP, UDP, ICMP, something else, or a mix of
      different protocols.

Perreault, et al.      Expires September 13, 2011               [Page 4]

Internet-Draft              CGN Requirements                  March 2011

   REQ-2:  A CGN SHOULD limit the number of external ports (or,
      equivalently, "identifiers" for ICMP) that are assigned per CPE.

      A.  Limits SHOULD be configurable by the CGN administrator.

      B.  Limits MAY be configured and applied independently per
          transport protocol.

      C.  Additionally, it SHOULD be possible to limit the rate at which
          external ports are allocated.

   Justification:  A CGN can be considered a network resource that is
      shared by competing subscribers.  Limiting the number of external
      ports assigned to each CPE mitigates the DoS attack that a
      subscriber could launch against the CGN in order to get a larger
      share of the resource.  It ensures fairness among subscribers.
      Limiting the rate of allocation is intended to further help
      mitigate DoS attacks.

   REQ-3:  A CGN SHOULD limit the number of TCP sessions per CPE.

      A.  Limits SHOULD be configurable by the CGN administrator.

      B.  Additionally, it SHOULD be possible to limit the rate at which
          TCP sessions are instanciated.

   Justification:  A NAT needs to keep track of TCP sessions associated
      to each mapping.  This state consumes resources for which, in the
      case of a CGN, subscribers may compete.  It is necessary to ensure
      that each subscriber has access to a faire share of the CGN's
      resources.  Limiting TCP sessions per CPE and per time unit is an
      effective mitigation against inter-subscriber DoS attacks.
      Limiting the rate of TCP session instanciation is intended to
      further help mitigate DoS attacks.

   REQ-4:  It SHOULD be possible to administratively turn off
      translation for specific destination addresses and/or ports.

   Justification:  It is common for a CGN administrator to provide
      access for subscribers to servers installed in the ISP's network,
      in the external realm.  When such a server is able to reach the
      internal realm via normal routing (which is entirely controlled by
      the ISP), translation is unneeded.  In that case, the CGN may
      forward packets without modification, thus acting like a plain
      router.  This may represent an important efficiency gain.

Perreault, et al.      Expires September 13, 2011               [Page 5]

Internet-Draft              CGN Requirements                  March 2011

      Figure 2 illustrates this use-case.

                 X1:x1            X1':x1'            X2:x2
                 +---+from X1:x1  +---+from X1:x1    +---+
                 |   |  to X2:x2  |   |  to X2:x2    | S |
                 | C |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
                 | P |            | G |              | r |
                 | E |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
                 |   |from X2:x2  |   |from X2:x2    | e |
                 |   |  to X1:x1  |   |  to X1:x1    | r |
                 +---+            +---+              +---+

                        Figure 2: CGN pass-through

   REQ-5:  It is RECOMMENDED that a CGN have an "Endpoint-Independent
      Filtering" behaviour.

   Justification:  This is a stronger form of REQ-8 from [RFC4787].  An
      "Address-Dependent Filtering" behaviour is NOT RECOMMENDED.  This
      is based on the observation that some games and peer-to-peer
      applications require EIF for the NAT traversal to work.  In the
      context of a CGN it is important to minimise application breakage.

   REQ-6:  When a CGN loses state (due to a crash, reboot, failover to a
      cold standby, etc.), it MUST start using a different external
      address pool.

   Justification:  This is necessary in order to prevent collisions
      between old and new mappings and sessions.  It ensures that all
      established sessions are broken instead of redirected to a
      different peer.  The previous address pool MAY of course be reused
      after a second loss of state.

4.  Logging

   It may be necessary for CGN administrators to be able to identify a
   subscriber based on external IPv4 address, port, and timestamp in
   order to deal with abuse and lawful intercept requests.  When
   multiple subscribers share a single external address, the source
   address and port that are visible at the destination host have been
   translated from the ones originated by the CPE.

   In order to be able to do this, the CGN needs to log the following
   information for each mapping created:

Perreault, et al.      Expires September 13, 2011               [Page 6]

Internet-Draft              CGN Requirements                  March 2011

   o  internal source address

   o  internal source port

   o  external source address

   o  external source port

   o  destination address (but see below)

   o  destination port (but see below)

   o  timestamp

   A disadvantage of this is that CGNs under heavy usage may produce
   large amounts of logs, which may require large storage volume.

   Readers should be aware of logging recommendations for Internet-
   facing servers [I-D.ietf-intarea-server-logging-recommendations].
   With compliant servers, the destination address and port do not need
   to be logged by the CGN.  This can help reduce the amount of logging.

5.  Bulk Port Allocation

   So far we have assumed that a CGN allocates one external port for
   every outgoing connection.  In this section, the impacts of
   allocating multiple external ports at a time are discussed.

   There is a range of things a CGN can do:

   1.  For every outgoing connection, allocate one external port.

   2.  For an outgoing connection, create a "bin" of several random
       external ports.  Subsequent outgoing connections will use ports
       from the "bin".  When the "bin" is full, a new connection causes
       a new bin to be created.  A bin is smaller or equal to the user's
       maximum port limit.

   3.  Same as (2), but the ports allocated to a "bin" are consecutive
       instead of random.

   Impacts are as follows.

   Port Utilization:  The mechanisms at the top of the list are very
      efficient in their port utilization.  In that sense, they have
      good scaling properties (nothing is wasted).  The mechanisms at
      the bottom of the list will waste ports.  The number of wasted

Perreault, et al.      Expires September 13, 2011               [Page 7]

Internet-Draft              CGN Requirements                  March 2011

      ports is proportional to size of the "bin".

   Logging:  Mechanism (1) creates a lot of log entries.  Mechanisms (2)
      and (3) create the same number of log entries, but (3)'s log
      entries are smaller because a range can be expressed very
      compactly by indicating a range (e.g. "12000-12009").  With large
      "bin" sizes, the logging for mechanisms (2) and (3) can approach
      the logging frequency of DHCP servers.

      Mechanism (1) can log destinations while mechanisms (2) and (3)
      cannot.  This means that a CGN implementing one of the latter two
      will rely on the remote peer to follow the recommendations in
      [I-D.ietf-intarea-server-logging-recommendations].  If this is not
      acceptable, mechanisms (2) and (3) cannot be used.

   Security:  Mechanisms (1) and (2) provide very good security in that
      ports numbers are not easily guessed.  Easily guessed port numbers
      put subscribers at risk of the attacks described in [RFC6056].
      Mechanism (3) provides poor security to subscribers, especially if
      the "bin" size is small.

6.  IANA Considerations

   There are no IANA considerations.

7.  Security Considerations

   If a malicious subscriber can spoof another subscriber's CPE, it may
   cause a DoS to that subscriber by creating mappings up to the allowed
   limit.  Therefore, the CGN administrator SHOULD ensure that spoofing
   is impossible.  This can be accomplished with ingress filtering, as
   described in [RFC2827].

8.  Acknowledgements

   Thanks for the input and review by Tomohiro Nishitani, Yasuhiro
   Shirasaki, Takeshi Tomochika, Kousuke Shishikura, Dai Kuwabara,
   Tomoya Yoshida, Takanori Mizuguchi, Arifumi Matsumoto, Tomohiro
   Fujisaki, Dan Wing, and Dave Thaler.  Dan Wing contributed much of
   section 5.

9.  References

Perreault, et al.      Expires September 13, 2011               [Page 8]

Internet-Draft              CGN Requirements                  March 2011

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, May 2000.

   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
              RFC 4787, January 2007.

   [RFC5382]  Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
              Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
              RFC 5382, October 2008.

   [RFC5508]  Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
              Behavioral Requirements for ICMP", BCP 148, RFC 5508,
              April 2009.

   [RFC6056]  Larsen, M. and F. Gont, "Recommendations for Transport-
              Protocol Port Randomization", BCP 156, RFC 6056,
              January 2011.

9.2.  Informative Reference

              Shirasaki, Y., Miyakawa, S., Nakagawa, A., Yamaguchi, J.,
              and H. Ashida, "NAT444 addressing models",
              draft-shirasaki-nat444-isp-shared-addr-05 (work in
              progress), January 2011.

              Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
              Roberts, "Issues with IP Address Sharing",
              draft-ford-shared-addressing-issues-02 (work in progress),
              March 2010.

              Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
              "Logging recommendations for Internet facing servers",
              draft-ietf-intarea-server-logging-recommendations-03 (work
              in progress), February 2011.

Perreault, et al.      Expires September 13, 2011               [Page 9]

Internet-Draft              CGN Requirements                  March 2011

Appendix A.  Change Log (to be removed by RFC Editor prior to

A.1.  Changed in -01

   o  Terminology: LSN is now CGN.

   o  Imported all requirements from RFCs 4787, 5382, and 5508.  This
      allowed us to eliminate some duplication.

   o  Added references to
      draft-ietf-intarea-server-logging-recommendations and

   o  Incorporated a requirement from

Authors' Addresses

   Simon Perreault (editor)
   2875 boul. Laurier, suite D2-630
   Quebec, QC  G1V 2M2

   Phone: +1 418 656 9254

   Ikuhei Yamagata
   NTT Communications Corporation
   Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku
   Tokyo  108-8118

   Phone: +81 50 3812 4704

Perreault, et al.      Expires September 13, 2011              [Page 10]

Internet-Draft              CGN Requirements                  March 2011

   Shin Miyakawa
   NTT Communications Corporation
   Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku
   Tokyo  108-8118

   Phone: +81 50 3812 4695

   Akira Nakagawa
   Japan Internet Exchange Co., Ltd. (JPIX)
   Otemachi Building 21F, 1-8-1 Otemachi, Chiyoda-ku
   Tokyo  100-0004

   Phone: +81 90 9242 2717

   Hiroyuki Ashida
   its communications Inc.
   541-1 Ichigao-cho Aoba-ku
   Yokohama  225-0024


Perreault, et al.      Expires September 13, 2011              [Page 11]