Midcom Working Group Sanjoy Sen
Internet Draft Cedric Aoun
Tom Taylor
Category: Standards Track Nortel Networks
Expires on March 2002 September 2001
MEGACO Middlebox Packages
<draft-sct-midcom-megaco-pkg-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This draft is work-in-progress, intended to satisfy some of the
requirements in [1] that are not met by the Megaco base protocol as
discussed in [2]. It defines three types of Packages:
- the base Middlebox Package containing properties and events
supported by all Middlebox Terminations
- the Firewall Package, extending the base package, containing
properties and events supported by Middlebox Terminations
supporting firewall functions.
- the NAT Package, extending the base package, containing
properties and events supported by Middlebox Terminations
supporting NAT function
A generic model to extend the base Middlebox package and new
command error codes for Middlebox control are also discussed.
Internet Draft Megaco Middlebox Packages September 2001
Table of Contents
Status of this Memo................................................1
Abstract...........................................................1
1 Introduction ...................................................2
2 Conventions used in this document ..............................3
3 Midcom Terminologies and Concepts [3] ..........................3
4 ARCHITECTURE ...................................................3
5 BASE MIDDLEBOX PACKAGE .........................................4
5.1 PROPERTIES ....................................................5
5.2 EVENTS ..........................................................9
5.3 STATISTICS .....................................................10
5.4 SIGNALS ........................................................10
5.5 PROCEDURES .....................................................10
6 BASIC FIREWALL PACKAGE ........................................10
6.1 PROPERTIES .....................................................11
6.2 EVENTS .........................................................11
6.3 STATISTICS .....................................................11
7 BASIC NAT PACKAGE .............................................11
7.1 PROPERTIES .....................................................11
7.2 EVENTS .........................................................12
7.3 STATISTICS .....................................................12
8 NEW COMMAND ERROR CODES.........................................12
9 Package creation model for new Middlebox functions..............13
10 Security Considerations........................................13
11 IANA Considerations............................................13
12 References.....................................................13
13 Acknowledgments................................................14
14 Author's Address...............................................14
15 Intellectual Property Statement................................14
16 Full Copyright Statement.......................................14
1 Introduction
This draft is work-in-progress, intended to satisfy some of the
requirements in [1] that are not met by the Megaco base protocol as
discussed in [2]. It defines three types of Packages:
- the base Middlebox Package containing properties and events
supported by all Middlebox Terminations
- the Basic Firewall Package, extending the base Middlebox
package, containing properties and events supported by Middlebox
Terminations supporting basic packet-filtering functions.
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 2]
Internet Draft Megaco Middlebox Packages September 2001
- the Basic NAT Package, extending the base Middlebox package,
containing properties and events supported by Middlebox
Terminations supporting basic Address/Port translation functions.
A generic model to extend the Middlebox packages and new command
error codes for Middlebox control are also discussed.
2 Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119.
3 Midcom Terminologies and Concepts [3]
Middlebox: a device that has router functionality and either
alters the content of the IP header or drops or forwards packets
depending on the filtering rule that is applied.
Midcom Agent or Agent: an entity performing an application layer
gateway (ALG) function, logically external to a Middlebox. Midcom
agents possess a combination of application awareness and
knowledge of the Middlebox function.
Ruleset: A logical Middlebox resource comprised of a matching
expression for packet flows (flow descriptor) and the actions
specified on the packets that match the flow descriptor (e.g.,
drop, modify certain fields of the IP header etc.)
Midcom protocol: The protocol between a Midcom agent and a
Middlebox that allows the Midcom agent to gain access to
Middlebox resources and allows the Middlebox to delegate
application specific processing to Midcom agent.
The above terminologies are aligned with the terminologies currently
used in the Midcom WG and may evolve in time. The draft will be
updated to reflect any modification of the terminology.
4 ARCHITECTURE and REQUIREMENTS
[3] describes the general Midcom architecture consisting of the Agent
and the Middlebox. When the Agent detects the initiation of an
application session requiring Middlebox service, it requests the
Middlebox to establish a ruleset for the application flow. The
request should carry the following information at the minimum:
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 3]
Internet Draft Megaco Middlebox Packages September 2001
- suitable descriptor (5 elements minimum - source address, source
port, destination address, destination port, protocol id) to
identify the flow(s)
- actions (allow, drop, IP address/port translation, or other IP
header manipulation) to be performed on the matched packets
- time-to-live(s) to be associated with the ruleset
- information (if required) for the Middlebox to determine the
interface(s) with which the ruleset should be associated
NOTE: The properties discussed in this draft are for the purpose
of illustration of key ideas and are likely to change with time.
The Midcom WG is in the process of defining the minimum set of
information to be carried by the protocol. The next version of the
draft should reflect the consensus of the Working Group.
The Middlebox should be able to detect Events such as ruleset timer
expiry, element failure etc., and report them to the Agent. It
should also be able to collect relevant statistics, e.g., the number
of packets on which a proposed action has been performed, for
reporting them to the Agent. All these parameters are carried in
Megaco requests and responses and are defined in these packages.
To model the Middlebox functions such as firewall, NAT etc., a new
Middlebox Termination type is defined. Such a Termination can be
associated with an interface and MUST contain the following
parameters - flow descriptor and action(s). In order to allow
multiple agents manipulate a ruleset (a key Midcom requirement), the
latter is kept separate from the Termination. A Termination shall be
associated with a single ruleset, but a ruleset may be associated
with more than one Termination. Thus, a Termination can share a
ruleset with another Termination, or have a ruleset partially
overlapping with that of another Termination. This model allows two
Agents, controlling two distinct Terminations manipulate the same or
overlapping ruleset(s) as discussed in [2]. A Termination will also
support an Event Timer.
At start-up or service change, the Middlebox capabilities, including
all the Terminations and Packages supported, are queried using the
AuditCapabilities command. It is assumed that a trust relationship
between the Middlebox and the Agent has already been established at
this stage (using IPSec, for example, as the underlying transport
mechanism).
5 BASE MIDDLEBOX PACKAGE
PackageID: mb (serial number TBD)
Version: 1
Extends: None
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 4]
Internet Draft Megaco Middlebox Packages September 2001
Description: This package is supported by all Middlebox terminations.
It contains the following properties associated with TerminationState
descriptor: Ingress Realm, Source Address, Source Port, Egress Realm,
Destination Address, Destination Port, Protocol Identifier, RTP
Support, and Action. It also contains the following Events: Ruleset
Expiry and Element Failure.
5.1 PROPERTIES
1) Ingress Realm
PropertyId: inrealm (0x0001)
Description: indicates the realm from which the flow enters the
Middlebox. This property can be specified, left unspecified or
wildcarded (ALL). The Ingress Realm property, in conjunction with
Source Address, is used by the MB to determine the ingress
interface(s) with which the ruleset shall be associated. This
determination is governed by the following rules:
I. If both the Ingress Realm and the Source Address are specified,
the MB should be able to uniquely determine the ingress interface
with which the ruleset shall be associated.
II. If the Ingress Realm is specified and the Source Address is
wildcarded, the ruleset shall be associated with all ingress
interfaces under the Ingress Realm.
III. If the Ingress Realm is left unspecified by the Agent, the
ruleset must NOT be associated with any interface unless the Egress
Realm is specified.
IV. If the Ingress Realm is wildcarded with ALL, the Agent is
requesting the MB to determine its interface with which the ruleset
shall be associated (from routing table). Note: this assumes that the
Source Address be globally routable. If not, the Agent is required to
know the Realm.
Type: string - syntax TBD
Values: as set by the Network Administrator. Can be specified, left
unspecified or wildcarded (only ALL).
Defined in: TerminationState descriptor
Characteristics: read/write
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 5]
Internet Draft Megaco Middlebox Packages September 2001
2) Source Address
PropertyId: srcaddr (0x0002)
Description: indicates the source address or range of addresses for
identifying flow(s). Source Address can be used in conjunction with
the Ingress Realm to determine the interface(s) with which a ruleset
shall be associated (See above).
Type: string - syntax TBD
Values: Can be either specified (as a complete address or address
range) or wildcarded (only ALL).
Defined in: TerminationState descriptor
Characteristics: read/write
3) Source Port
PropertyId: srcport (0x0003)
Description: indicates the source port or range of ports for
identifying flow(s).
Type: integer
Values: Can be either specified (as a complete address or address
range) or wildcarded (only ALL).
Defined in: TerminationState descriptor
Characteristics: read/write
4) Egress Realm
PropertyId: egrealm (0x0004)
Description: indicates the destination realm of the flow from the MB.
This property can be specified, left unspecified or wildcarded (ALL).
The Egress Realm property, in conjunction with Destination Address,
is used by the MB to determine the egress interface(s) with which the
ruleset shall be associated. This determination is governed by the
following rules:
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 6]
Internet Draft Megaco Middlebox Packages September 2001
I. If both the Egress Realm and the Destination Address are
specified, the MB should be able to uniquely determine the egress
interface with which the ruleset shall be associated.
II. If the Egress Realm is specified and the Destination Address
is wildcarded, the ruleset shall be associated with all egress
interfaces under the Egress Realm.
III. If the Egress Realm is left unspecified by the Agent, the
ruleset must NOT be associated with any interface unless the Ingress
Realm is specified.
IV. If the Egress Realm is wildcarded with ALL, the Agent is
requesting the MB to determine its interface with which the ruleset
shall be associated (from routing table). Note: this assumes that the
Destination Address be globally routable. If not, the Agent is
required to know the Realm.
Type: string - syntax TBD
Values: as set by the Network Administrator. Can be specified, left
unspecified or wildcarded (only ALL).
Defined in: TerminationState descriptor
Characteristics: read/write
5) Destination Address
PropertyId: destaddr (0x0005)
Description: indicates the destination address or range of addresses
for identifying flow(s). Destination Address can be used in
conjunction with the Egress Realm to determine the interface(s) with
which a ruleset shall be associated (See above).
Type: string - syntax TBD
Values: Can be either specified (as a complete address or address
range) or wildcarded (only ALL).
Defined in: TerminationState descriptor
Characteristics: read/write
6) Destination Port
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 7]
Internet Draft Megaco Middlebox Packages September 2001
PropertyId: destport (0x0006)
Description: indicates the destination port or range of ports for
identifying flow(s).
Type: integer
Values: Can be either specified (as a complete address or address
range) or wildcarded (only ALL).
Defined in: TerminationState descriptor
Characteristics: read/write
7) Protocol Identifier
PropertyId: protoid (0x0007)
Description: identifies the protocol datagram being carried in the IP
packet
Type: string
Values:
Defined in: TerminationState descriptor
Characteristics: read/write
8) RTP Support
PropertyId: rtp (0x0008)
Description: Specifies whether or not an RTCP flow will be associated
with an RTP packet flow in opposite direction. This translates into
the MB allocating port bind or opening pinhole for the port
consecutive to the RTP port, and that the address translation result
is as follows: RTP address a/portx, RTCP address a/portx +1 <-> RTP
address b/porty, RTCP address b/porty + 1. It is assumed that if an
RTP flow is allowed, the corresponding RTCP flow will always be
allowed. The default value is set to FALSE.
Type: Boolean
Values: TRUE, FALSE
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 8]
Internet Draft Megaco Middlebox Packages September 2001
Defined in: TerminationState descriptor
Characteristics: read/write
9) Action
PropertyId: action (0x0009)
Description: Specifies the action that should be applied by the
Middlebox on the matched packets. Extension to this Package will add
possible values to action.
Type: Enumeration
Values:
Defined in: TerminationState descriptor
Characteristics: read/write
5.2 EVENTS
1) Ruleset Expiry
EventID: rule-expiry (0x0001)
Description: Indicates that the ruleset-timer associated with a
Termination has expired.
EventDescriptor Parameters:
Timer
ParameterID: timer (0x0001)
Description: timer associated with the Termination
Type: integer
Possible values: in sec
ObservedEventDescriptor Parameters: None added to this Package
2) Element Failure
EventID: mbfail
Description: Indicates a failure in the processing of the Middlebox
function
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 9]
Internet Draft Megaco Middlebox Packages September 2001
EventDescriptor Parameters: none added by this package
ObservedEventDescriptor Parameters:
Error code
ParameterID: ec
Description: describes the failure reason
Type: integer, 0 to 99
Possible values:
1 Firewall failure
2 NAT failure
5.3 STATISTICS
None
5.4 SIGNALS
None
5.5 PROCEDURES
The Agent creates a new Termination in a Context when it wants to
create a new ruleset on behalf of the application. It subtracts the
Termination from the Context when the ruleset is no longer needed.
The Agent associates a Timer Event with a Termination (and
implicitly, with a ruleset). Thus, by virtue of the one-to-many
association between the ruleset and Terminations (i.e., when a
ruleset is shared by multiple Agents), a ruleset may be associated
with multiple Timers, each controlled by an Agent. When a Timer
expires, the Agent is notified of that Event by the Middlebox. The
Agent may choose to refresh the ruleset by sending a MODIFY command
to the Termination.
6 BASIC FIREWALL PACKAGE
PackageID: bas-fw (serial number TBD)
Version: 1
Extends: mb
Description: This package describes the properties required by the
Middlebox Termination to perform basic packet filtering function.
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 10]
Internet Draft Megaco Middlebox Packages September 2001
6.1 PROPERTIES
The Property Action in the Base Package is extended to specify
possible packet-filtering actions: "Allow" and "Drop".
6.2 EVENTS
None
6.3 STATISTICS
1) Packets Dropped
ParameterID: pktsdrop (0x0001)
Description: Number of packets dropped by the Termination in a
session
Units: in packets
Defined in: Statistics descriptor
7 BASIC NAT PACKAGE
PackageID: bas-nat (serial number TBD)
Version: 1
Extends: mb
Description: This package provides the properties required by the
Middlebox Termination to perform address and port translation (NAPT)
function
7.1 PROPERTIES
1) NAT Action
PropertyId: nat-action (0x00010)
Description: used by the MB to specify whether only address
translation or both address and port translation can be performed by
the Termination on matched packets
Type: Enumeration
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 11]
Internet Draft Megaco Middlebox Packages September 2001
Values: "Address", "Address-port"
Defined in: TerminationState descriptor
Characteristics: read only
2) Bind Values
PropertyID: Bindvals (0x00011)
Description: Allows the MB to specify the translated address/port
information to the MA. Also allows the MA to offer hint to the MB
about the translated address/port.
Type: String - detailed syntax TBD
Values:
Defined in: TerminationState descriptor
Characteristics: read/write
7.2 EVENTS
None
7.3 STATISTICS
1) Packets Translated
ParameterID: trans (0x0002)
Description: Number of packets translated by the Termination in a
session
Type: Double integer
Units: in packets
Defined in: Statistics descriptor
8 NEW COMMAND ERROR CODES
Errors consist of an IANA registered error code and an explanatory
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 12]
Internet Draft Megaco Middlebox Packages September 2001
string. Megaco consists of a list of IANA registered error codes.
Following are the new ones that need to be added to that list for the
purpose of Midcom:
582 Ports unavailable
Description: used by a Middlebox NAPT to indicate to the
Agent about unavailability of ports for translation.
583 Address and port already in use
Description: used by a Middlebox NAPT to indicate to the
Agent that the requested Address/port is already in service
584 Port already in use
Description: used by a Middlebox NAPT to indicate to the
Agent that the requested port is already in service
585 Resource already in use
Description: used to indicate contention when multiple Agents
attempt to access/modify the same ruleset
9 Package creation model for new Middlebox functions
The protocol should be able to incorporate several new types of
Middlebox functions. All new functions can be modeled as extensions
to the base Middlebox package. The new package will follow the
structure of the standard Megaco packages as defined in [4].
10 Security Considerations
Please refer to [3] for discussions.
11 IANA Considerations
The document describes new Packages for Middleboxes providing
firewall and NAT functionality. The document also describes new
command error codes. Both of the above will need IANA registration.
12 References
[1] Brim et. al., "Midcom Requirements", midcom-reqs-bullets-
010910.txt, work in progress
[2] Sen, Aoun, Taylor, "Applicability of Megaco for Middlebox
Control", draft-sct-midcom-megaco-00.txt, work in progress
[3] Srisuresh, Kuthan, Rosenberg," MIDCOM Architecture & Framework",
Internet draft, draft-ietf-midcom-framework-03.txt
[4] "MEGACO Protocol Version 1.0", RFC 3015
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 13]
Internet Draft Megaco Middlebox Packages September 2001
13 Acknowledgments
The authors would like to thank Mark Watson for his useful comments
related to this draft.
14 Author's Address
Sanjoy Sen
Nortel Networks
sanjoy@nortelnetworks.com
Cedric Aoun
Nortel Networks
cedric.aoun@nortelnetworks.com
Tom Taylor
Nortel Networks
taylor@nortelnetworks.com
15 Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification
can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
16 Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 14]
Internet Draft Megaco Middlebox Packages September 2001
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English. The limited permissions granted above are perpetual and
will not be revoked by the Internet Society or its successors or
assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOS E."
Sen/Aoun/Taylor Informational - Expires March 2001 [Page 15]