idnits 2.17.1 draft-tsou-softwire-port-set-algorithms-analysis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 17, 2013) is 3995 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.bsd-softwire-stateless-port-index-analysis' is defined on line 558, but no explicit reference was found in the text -- No information found for draft-bsd-softwire-stateless-port-index-analysis - is the name correct? -- No information found for draft-softwire-4rd - is the name correct? -- No information found for draft-softwire-lw4over6 - is the name correct? -- No information found for draft-softwire-map - is the name correct? -- No information found for draft-softwire-map-t - is the name correct? -- No information found for draft-softwire-unified-cpe - is the name correct? Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force T. Tsou, Ed. 3 Internet-Draft Huawei Technologies (USA) 4 Intended status: Informational T. Murakami 5 Expires: November 18, 2013 IP Infusion 6 S. Perreault 7 Viagenie 8 May 17, 2013 10 Analysis of Algorithms For Deriving Port Sets 11 draft-tsou-softwire-port-set-algorithms-analysis-04 13 Abstract 15 This memo analyzes some port set definition algorithms used for 16 stateless IPv4 to IPv6 transition technologies. The transition 17 technologies using port set algorithms can be divided into two 18 categories: fully stateless approach and binding approach. Some 19 algorithms can work for both approaches. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on November 18, 2013. 38 Copyright Notice 40 Copyright (c) 2013 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3. Various Types of Algorithms . . . . . . . . . . . . . . . . . 4 58 3.1. Binding Approach Algorithms . . . . . . . . . . . . . . . 4 59 3.1.1. Mask/Value Algorithm . . . . . . . . . . . . . . . . . 4 60 3.1.2. Cryptographic Algorithm . . . . . . . . . . . . . . . 7 61 3.2. Fully Stateless: the Generalized Modulus Algorithm 62 (GMA) . . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 3.2.1. MAP-E . . . . . . . . . . . . . . . . . . . . . . . . 8 64 3.2.2. 4rd-U . . . . . . . . . . . . . . . . . . . . . . . . 10 65 3.2.3. MAP-T . . . . . . . . . . . . . . . . . . . . . . . . 11 66 3.2.4. Evaluation . . . . . . . . . . . . . . . . . . . . . . 11 67 4. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 12 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 70 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 71 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13 72 7.2. Informative References . . . . . . . . . . . . . . . . . . 13 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 75 1. Introduction 77 IPv6 transition technologies with address sharing can be divided into 78 three categories as suggested in [I-D.softwire-unified-cpe]: 80 o Fully stateful approach, e.g. [RFC6333]. Stateful solutions do 81 not make use of port sets, and are out of scope for this memo. 83 o Binding approach, with per-subscriber state, e.g., 84 [I-D.softwire-lw4over6]. This type of algorithm does not embed 85 port set information and IPv4 address in the IPv6 address when 86 doing translation or encapsulation, so a mapping entry is required 87 in the border router. This type of solution gives flexibility in 88 address planning because the IPv4 address is not statically bound 89 to the IPv6 address. To some extent, the binding approach can 90 also be called a partially stateless approach. 92 o Fully stateless approach, e.g., [I-D.softwire-map]. This type of 93 algorithm embeds port set information and an IPv4 address in the 94 IPv6 address. For a given port number and IPv4 address, the 95 corresponding IPv6 address can be calculated using a limited set 96 of mapping rules rather than a mapping entry per subscriber. 98 Binding and stateless technologies can significantly simplify the 99 implementation of the border router and reduce resource requirements. 100 In these solutions, a port set is assigned to each CPE, and can be 101 calculated from a port set identifier (PSID) in conjunction with some 102 other parameters. For a given port number, the corresponding PSID 103 can also be derived; that is, the mapping algorithm must be 104 reversible. 106 Some port set definition algorithms have been proposed to support 107 these technologies. It may be useful to analyze the characteristics 108 of these algorithms for better understanding and to choose a proper 109 algorithm for different needs. 111 A good port set definition algorithm must be reversible and easy to 112 implement. It must be able to exclude the well-known ports (0-1023). 113 It should be able to define non-continuous or random port sets for 114 the modest gain in security against port-guessing attacks that these 115 provide. For the fully stateless method, the restrictions imposed by 116 the algorithm on the choice of IPv6 addresses for customer equipment 117 should be minimized. To simplify administration, the total number of 118 ports assigned should be roughly the same for each port set derived 119 by the algorithm. Finally, the algorithm should be adaptable to a 120 wide range of address sharing ratios. 122 This memo will analyze the following characteristics: 124 o Implementation: implementation complexity, performance, etc. 126 o Can calculate the port set identifier (PSID) from the port number 127 at the Border Router (BR). 129 o Can exclude well known ports without excluding other ports. 131 o Port set type: continuous, non-continuous, random. Continuous 132 port set provides common security, random port set provides good 133 security. 135 o Stateless: requires per-subscriber provisioning at the BR, yes or 136 no. 138 o Friendliness for NAT44: comply with NAT44 [RFC5382] or not. 140 o Sharing ratio: maximum, minimum sharing ratio. 142 2. Terminology 144 BR: Border Router. 146 CPE: Customer Premise Equipment. 148 GMA: Generalized Modulus Algorithm. 150 MAP: Map Address and Port. 152 PSID: Port Set Identifier, one of the key parameters used to 153 derive the set of ports allocated to a given CPE. 155 3. Various Types of Algorithms 157 3.1. Binding Approach Algorithms 159 3.1.1. Mask/Value Algorithm 161 [RFC6431] defines an option for the PPP Internet Protocol Control 162 Protocol (IPCP) [RFC1332] to allocate port sets to CPEs, as shown in 163 Figure 1. The Port Range Value plays the role of a PSID. The 164 example in [RFC6431] shows the case of a mask selecting a port number 165 prefix, but the mask can be more general. 167 0 1 2 3 168 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 |M| Reserved | Port Range Value | 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | Port Range Mask | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 Figure 1: IPCP Option Format For Port Set Identifier (PSID) 177 [I-D.softwire-lw4over6] also uses this type of port set definition 178 algorithm, for which provisioning is defined in 179 [I-D.sun-dhc-port-set-option]. Figure 2 illustrates the DHCP option. 181 0 1 182 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 183 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 184 | OPTION_PORT_SET | option-length | 185 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 186 | Port Set Index | 187 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 188 | Port Set Mask | 189 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 191 Figure 2: DHCP Port Set Option Format 193 The bit-wise AND of port set index and mask can be encoded in an IPv6 194 address, which will turn it into a fully stateless solution, similar 195 to parameter PSID in other technologies, e.g., MAP 196 [I-D.softwire-map]. 198 The Port Range Value corresponding to a given port can be derived by 199 performing the bit-wise AND of the port number with the Port Range 200 Mask. 202 0 1 203 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 205 |0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 | | 208 | | (two significant bits) 209 v v 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 |0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value 212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 |x x x 0 x 1 x x x x x x x x x x| Usable ports 216 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (x may be set to 0 or 1) 218 Figure 3: Example of Port Range Mask and Port Range Value 220 This algorithm can have some kind of randomization effect by setting 221 different numbers of bits and bits at different locations in the Port 222 Range Mask. 224 This algorithm may have a problem if the well known ports (0-1023) 225 need to be excluded; it is a bit difficult to achieve that. But if 226 the operator does not have a specific usage for the well known ports, 227 then it is safe to allocate those port to end users, just like other 228 common ports. Some tests have been done to confirm this. 230 +----------------+--------------------------------------------------+ 231 | Criterion | Result | 232 +----------------+--------------------------------------------------+ 233 | Implementation | Easy | 234 | PSID from port | Yes | 235 | number | | 236 | Port exclusion | Difficult | 237 | Port set type | Continuous with prefix, non-continuous otherwise | 238 | Stateless | Requires BR to know mask, could be | 239 | | subscriber-independent. | 240 | NAT compliance | Care must be taken to avoid port overloading if | 241 | | mask varies between subscribers. | 242 | Sharing ratio | Can vary from 1 to 65536 subscribers per | 243 | | address. | 244 +----------------+--------------------------------------------------+ 246 Table 1: Evaluation of Mask/Value Algorithm 248 3.1.2. Cryptographic Algorithm 250 The cryptographic port set definition algorithm introduced in 251 [RFC6431] can provide very good protection against port guessing 252 attacks, but it is very difficult to derive the port set information, 253 e.g., the starting point, from a given port number. This algorithm 254 can only be used in binding scenarios; the BR must operate in per- 255 subscriber state mode. 257 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 |M| Reserved | function | 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | starting point | number of delegated ports | 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 | key K ... 264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 265 ... ... 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 ... ... 268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 269 ... | 270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 272 Figure 4: Format of the Cryptographically Random Port Range Option 274 +---------------------+---------------------------------------------+ 275 | Criterion | Result | 276 +---------------------+---------------------------------------------+ 277 | Implementation | Difficult | 278 | PSID from port | No (note) | 279 | number | | 280 | Port exclusion | Difficult | 281 | Port set type | Continuous or non-continuous | 282 | Stateless | Binding mode only. | 283 | NAT compliance | Care must be taken to avoid port | 284 | | overloading. | 285 | Sharing ratio | Can vary from 1 to 65536 subscribers per | 286 | | address. | 287 +---------------------+---------------------------------------------+ 289 Table 2: Evaluation of Cryptographic Algorithm 291 Note: it may be possible to find a cryptographic algorithm which can 292 be reversed, e.g. define a reversible one-to-one mapping algorithm. 293 But that is out the scope of this memo. If strong security is 294 required, it may be worth giving this topic further study. 296 3.2. Fully Stateless: the Generalized Modulus Algorithm (GMA) 298 Currently there are three drafts supporting the GMA style algorithm: 299 MAP-E [I-D.softwire-map], 4rd-U [I-D.softwire-4rd], and MAP-T 300 [I-D.softwire-map-t], but they are not exactly all the same. 302 3.2.1. MAP-E 304 In MAP [I-D.softwire-map], a port set can be defined by the following 305 parameters: 307 R: sharing ratio; 309 P: PSID; 311 M: maximum number of contiguous ports. 313 To derive the set of port numbers in the port set corresponding to a 314 given PSID value, the following equation can be used: 316 Port = (R * M) * i + M * PSID + j 318 where i and j are indices which vary within limits to provide the 319 different port numbers belonging to the port set. The range of i 320 depends on the value (R * M) and the range of j is from 0 to (M - 1). 322 If (R * M) is less than or equal to 2^15, ports (e.g, the well- known 323 ports 0-1023) can be excluded from the lower end by putting a lower 324 limit dependent on the value (R * M) on index i. In this case, each 325 port set defined by the algorithm consists of a series of ranges of M 326 consecutive port numbers at intervals of (R * M). 328 On the other hand, if (R * M) is greater than 2^15, the first term 329 drops out of the above equation and a lower limit dependent on the 330 value of M has to be imposed on the value of PSID to exclude the 331 well- known ports. In this case, each PSID is associated with a 332 single range of M consecutive port numbers. 334 The GMA is easily reversible. For a given port number, the 335 corresponding PSID is given by: 337 PSID = floor( (Port modulo (R * M)) / M)) 339 If R and M are powers of 2, this becomes a mask operation. The mask 340 consists of 'a' high-order zeroes, followed by 'k' ones, followed by 341 'm' low-order zeroes, where: 343 2^a = 65536/(R * M); 345 2^m = M; 347 k = 16 - a - m. 349 See Figure 5. 351 MAP-E defaults to a value of 'a' equal to 6. Thus by constraining 352 the index i to be >= 1, exactly the well-known port range is 353 excluded. Also, each port set consists of 63 equally-sized ranges of 354 consecutive values spaced 1024 ports apart. 356 0 8 15 357 +---------------+----------+------+-------------------+ 358 | i | PSID | j | 359 +---------------+----------+------+-------------------+ 360 |<----a bits--->|<-----k bits---->|<------m bits----->| 362 Figure 5: GMA Bit Representation Of a Port Number When R and M Are 363 Powers Of 2 365 For a complete explanation of the GMA, see Appendix B of 366 [I-D.softwire-map]. 368 MAP-E embeds the PSID in the End User IPv6 Address provisioned on the 369 customer edge device. See Figure 6. The PSID's location within the 370 address is determined from the Basic Mapping Rule applicable to the 371 subscriber. A mask to extract the PSID from that address is 372 described as follows: 374 o High-order zeroes in the amount of (n + 32 - r) bits, where n is 375 the length of the IPv6 prefix in the Basic Mapping Rule and r is 376 the length of the IPv4 prefix in that rule. 378 o Ones in the amount of (r + o - 32) bits, where o is the number of 379 EA bits given by the rule. 381 o Zeroes for the remaining low-order portion of the address. 383 This operation is valid only if (r + o) is greater than 32. If not, 384 the IPv4 address or prefix assigned to the subscriber is unshared and 385 the customer edge device can use every port. 387 | 32 bits | | 16 bits | 388 +--------------------------+ +-------------------+ 389 | IPv4 endpoint address | | Port in port set | 390 +--------------------------+ +-------------------+ 391 : : : ___/ : 392 | r bits |32-r bits | / q bits : q = o - (32-r) 393 +---------------+----------+ +------------+ 394 | IPv4 prefix |IPv4 sufx| |Port Set ID | 395 +---------------+----------+ +------------+ 396 \ / ____/ ________/ 397 \ : __/ _____/ 398 \ : / / 399 | n bits | o bits | s bits | 128-n-o-s bits | 400 +--------------------+-----------+---------+------------+----------+ 401 | Rule IPv6 prefix | EA bits |subnet ID| interface ID | 402 +--------------------+-----------+---------+-----------------------+ 403 |<--- End-user IPv6 prefix --->| 405 Figure 6: Structure of the MAP-E End User IPv6 Address 407 3.2.2. 4rd-U 409 Everything that was described in the previous section for MAP-E also 410 applies to 4rd-U [I-D.softwire-4rd], with two differences. First, 411 the mapping rule applicable to a particular customer site includes an 412 indication of whether the customer edge equipment is permitted to use 413 the well-known ports or whether they must be excluded. 415 If the well-known ports are to be excluded, the default value of 'a' 416 (recall Figure 5) is 4 rather than 6. That means that the port set 417 consists of 15 rather than 63 ranges, spaced 4096 values apart. It 418 also means that ports 0-4095 rather than ports 0-1023 are excluded. 419 At an earlier point in time MAP-E had the same default, for which the 420 4rd-U document provides arguments. However, it was decided that the 421 waste of ports entailed (which implies a 6% reduction in the number 422 of subscribers sharing the same IPv4 address) was a sufficient reason 423 to change. However, see Section 4 for new evidence on this point. 425 If the well-known ports can be used, the default value of 'a' is 426 zero. That is, the PSID is positioned at the beginning of the port 427 number. As mentioned in the previous section, this implies that 428 subscribers assigned this mapping rule are assigned a single range of 429 consecutive ports. The subscribers assigned the lowest PSID values 430 receive port sets consisting partly or completely of well-known port 431 number values. 433 3.2.3. MAP-T 435 MAP-T [I-D.softwire-map-t] uses the same algorithm to assign port 436 sets to customer sites, this time with just one difference. The 437 default value of the offset 'a' is always 4. The consequences in 438 terms of wasted ports were spelled out in the previous section. 440 3.2.4. Evaluation 442 This section provides an evaluation of the GMA against our comparison 443 criteria. 445 +----------------+--------------------------------------------------+ 446 | Criterion | Result | 447 +----------------+--------------------------------------------------+ 448 | Implementation | Easy | 449 | PSID from port | Yes | 450 | number | | 451 | Port exclusion | Easy, but using a value of the offset 'a' | 452 | | between 1 and 5 wastes ports and hence reduces | 453 | | the maximum practical sharing ratio. | 454 | Port set type | Continuous for 'a' = 0, non-continuous otherwise | 455 | Stateless | No subscriber-specific data required. | 456 | NAT compliance | Port sets are guaranteed to be non-overlapping. | 457 | Sharing ratio | Equal to 65536/(M * 2^a), where M is the range | 458 | | size for all subscribers sharing the same | 459 | | address. See note. | 460 +----------------+--------------------------------------------------+ 462 Table 3: Evaluation of Cryptographic Algorithm 464 Note: a practical value of the total number of ports in the port set 465 is in the order of 400. Suppose one wants to guarantee each 466 subscriber at least this number of ports. Recall that the number of 467 equal ranges into which the port allocation is divided is equal to 1 468 for a = 0, 15 for a = 4, and 63 for a = 6. Because of the assumption 469 of equal range sizes, the number of ports M in each range has to be 470 rounded up in the general case to give a total number of ports at 471 least equal to 400. Table 4 shows the consequent impact on sharing 472 ratio. The rounding effect very much dominates the results. If the 473 target were 305 ports instead, the sharing ratio would be the same 474 for all three values of a, since 305 is a multiple of 15 and 63. 476 +---+-----+----------+--------------+------------+---------+ 477 | a | 2^a | # Ranges | Range Size M | Tot. Ports | Ratio R | 478 +---+-----+----------+--------------+------------+---------+ 479 | 0 | 1 | 1 | 400 | 400 | 163 | 480 | 4 | 16 | 15 | 27 | 405 | 151 | 481 | 6 | 64 | 63 | 7 | 441 | 146 | 482 +---+-----+----------+--------------+------------+---------+ 484 Table 4: Port Allocations and Range Size For Different Values Of 485 Offset a 487 In Table 4, the value M is rounded up from the ratio 400/N, where N 488 is the number of separate ranges in the port set. The total number 489 of ports in the port set is this result multiplied by the number of 490 ranges. The sharing ratio is then the stated 65536/(M * 2^a), 491 rounded down to ensure every subscriber sharing the address gets the 492 same number of ports. For a = 0, this ratio would be reduced by 3 to 493 exclude the three ranges containing well-known ports. 495 4. Conclusion 497 The Generalized Modulus Algorithm (GMA) clearly comes the closest to 498 satisfying all of our criteria. As the example calculation in 499 Table 4 shows, the sharing ratio is sensitive to the rounding 500 necessary to guarantee at least a certain total number of ports to 501 each subscriber. In this regard, sensitivity will be higher for 502 larger values of the offset parameter 'a', leading to the surprising 503 result that for some ranges of values of the target total number of 504 ports, the sharing ratio will be less for a = 6 than for a = 4 even 505 though the latter wastefully excludes an extra 3072 ports. 507 The sensitivity of this result to the target total number of ports 508 per subscriber is shown if one assumes that that number is 441 ports. 509 Then the sharing ratio for a = 6 remains at 146, but that for a = 4 510 drops to 136. 512 The mask/value algorithm is really a generalization of the GMA. One 513 has the GMA if the one-bits of the mask are constrained to be 514 consecutive. The difference between the binding and fully stateless 515 approaches lies not in the algorithm itself, but in how the algorithm 516 parameters are conveyed to the border router. Binding uses per- 517 subscriber rules. The fully stateless approaches reviewed in this 518 document use a combination of shared mapping rules and information 519 embedded in specially-constructed addresses. 521 5. IANA Considerations 523 This memo includes no request to IANA. 525 6. Security Considerations 527 The major security consideration related to the subject matter of 528 this document is the vulnerability of port allocation to a port 529 guessing attack. See [RFC6056] for details. The most important 530 factor in countering such an attack is to allocate ports randomly 531 from the assigned port set as they are required by different 532 applications. However, allocating port sets as non-continuous or 533 random entities requires the attacker to go to some extra effort in 534 order to determine the complete port set allocated to a subscriber. 535 Thus resistance to port guessing attacks is improved to a certain 536 degree by allocating non-continuous port sets. For the GMA, this 537 means that non-zero values of the offset value 'a' are to be 538 preferred. 540 7. References 542 7.1. Normative References 544 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 545 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 546 RFC 5382, October 2008. 548 [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- 549 Protocol Port Randomization", BCP 156, RFC 6056, 550 January 2011. 552 [RFC6431] Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and 553 T. Tsou, "Huawei Port Range Configuration Options for PPP 554 IP Control Protocol (IPCP)", RFC 6431, November 2011. 556 7.2. Informative References 558 [I-D.bsd-softwire-stateless-port-index-analysis] 559 Boucadair, M., Skoberne, N., and W. Dec, "Analysis of Port 560 Indexing Algorithms", September 2011. 562 [I-D.softwire-4rd] 563 Jiang, S., Despres, R., Penno, R., Lee, Y., Chen, G., and 564 M. Chen, "IPv4 Residual Deployment Via IPv6 - A Unified 565 Stateless Solution (4rd) (Work in progress)", April 2013. 567 [I-D.softwire-lw4over6] 568 Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Li, Y., and I. 569 Farrer, "Lightweight 4over6: An Extension to the DS-Lite 570 Architecture (Work in progress)", April 2013. 572 [I-D.softwire-map] 573 Troan, O., Dec, W., Li, X., Bao, C., Matsushima, S., 574 Murakami, T., and T. Taylor, "Mapping of Address and Port 575 (MAP) (Work in progress)", May 2013. 577 [I-D.softwire-map-t] 578 Li, X., Bao, C., Dec, W., Troan, O., Matsushima, S., and 579 T. Murakami, "Mapping of Address and Port using 580 Translation (MAP-T)", February 2013. 582 [I-D.softwire-unified-cpe] 583 Boucadair, M. and I. Farrer, "Unified IPv4-in-IPv6 584 Softwire CPE (Work in progress)", March 2013. 586 [I-D.sun-dhc-port-set-option] 587 Sun, Q., Li, Y., Sun, Q., Bajko, G., and M. Boucadair, 588 "Dynamic Host Configuration Protocol (DHCP) Option for 589 Port Set Assignment (Work in progress)", April 2013. 591 [RFC1332] McGregor, G., "The PPP Internet Protocol Control Protocol 592 (IPCP)", RFC 1332, May 1992. 594 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 595 Stack Lite Broadband Deployments Following IPv4 596 Exhaustion", RFC 6333, August 2011. 598 Authors' Addresses 600 Tina Tsou (editor) 601 Huawei Technologies (USA) 602 2330 Central Expressway 603 Santa Clara CA 95050 604 USA 606 Phone: +1 408 330 4424 607 Email: tina.tsou.zouting@huawei.com 608 Tetsuya Murakami 609 IP Infusion 610 1188 East Arques Avenue 611 Sunnyvale 612 USA 614 Email: tetsuya.murakami@ipinfusion.com 616 Simon Perreault 617 Viagenie 618 246 Aberdeen 619 Quebec, QC G1R 2E1 620 Canada 622 Phone: +1 418 656 9254 623 Email: simon.perreault@viagenie.ca 624 URI: http://viagenie.ca