]>
Analysis of Algorithms For Deriving Port SetsHuawei Technologies (USA)2330 Central ExpresswaySanta ClaraCA 95050USA+1 408 330 4424tina.tsou.zouting@huawei.comIP Infusion1188 East Arques AvenueSunnyvaleUSAtetsuya.murakami@ipinfusion.comViagenie246 AberdeenQuebecQCG1R 2E1Canada+1 418 656 9254simon.perreault@viagenie.cahttp://viagenie.ca
INT
Internet Engineering Task ForceThis memo analyzes some port set definition algorithms used for
stateless IPv4 to IPv6 transition technologies. The transition
technologies using port set algorithms can be divided into two categories:
fully stateless approach and binding approach. Some algorithms can work
for both approaches.IPv6 transition technologies with address sharing can be divided into three
categories as suggested in :
Fully stateful approach, e.g. .
Stateful solutions do not make use of port sets, and are out of
scope for this memo.Binding approach, with per-subscriber state, e.g.,
. This type of
algorithm does not embed port set information and IPv4 address in the
IPv6 address when doing translation or encapsulation, so a mapping
entry is required in the border router. This type of solution gives
flexibility in address planning because the IPv4 address is not
statically bound to the IPv6 address. To some extent, the binding
approach can also be called a partially stateless approach.Fully stateless approach, e.g.,
. This type of
algorithm embeds port set information and an IPv4 address in the IPv6
address. For a given port number and IPv4 address, the corresponding
IPv6 address can be calculated using a limited set of mapping rules
rather than a mapping entry per subscriber.Binding and stateless technologies can significantly simplify the
implementation of the border router and reduce resource requirements. In
these solutions, a port set is assigned to each CPE, and can be calculated
from a port set identifier (PSID) in conjunction with some other
parameters. For a given port number, the corresponding PSID can also be
derived; that is, the mapping algorithm must be reversible. Some port set definition algorithms have been proposed to support these
technologies. It may be useful to analyze the characteristics of these
algorithms for better understanding and to choose a proper algorithm for
different needs.A good port set definition algorithm must be reversible and easy to
implement. It must be able to exclude the well-known ports (0-1023). It
should be able to define non-continuous or random port sets for the modest
gain in security against port-guessing attacks that these provide. For the
fully stateless method, the restrictions imposed by the algorithm on the
choice of IPv6 addresses for customer equipment should be minimized. To
simplify administration, the total number of ports assigned should be
roughly the same for each port set derived by the algorithm. Finally, the
algorithm should be adaptable to a wide range of address sharing
ratios.This memo will analyze the following characteristics:
Implementation: implementation complexity, performance, etc.Can calculate the port set identifier (PSID) from the port number
at the Border Router (BR).Can exclude well known ports without excluding other ports.Port set type: continuous, non-continuous, random. Continuous port
set provides common security, random port set provides good
security.Stateless: requires per-subscriber provisioning at the BR, yes or no.Friendliness for NAT44: comply with NAT44
or not.Sharing ratio: maximum, minimum sharing ratio.Border Router.Customer Premise Equipment.Generalized Modulus Algorithm.Map Address and Port.Port Set Identifier, one of the key parameters
used to derive the set of ports allocated to a given CPE. defines an option for the PPP
Internet Protocol Control Protocol (IPCP)
to allocate port sets to CPEs, as shown in
. The Port Range Value plays the
role of a PSID. The example in shows
the case of a mask selecting a port number prefix, but the mask
can be more general. also uses this type
of port set definition algorithm, for which provisioning is defined
in .
illustrates the DHCP option.The bit-wise AND of port set index and mask can be encoded in
an IPv6 address, which will turn it into a fully stateless solution,
similar to parameter PSID in other technologies, e.g., MAP.The Port Range Value corresponding to a given port can be derived
by performing the bit-wise AND of the port number with the Port Range
Mask.This algorithm can have some kind of randomization effect by
setting different numbers of bits and bits at different locations in
the Port Range Mask.This algorithm may have a problem if the well known ports
(0-1023) need to be excluded; it is a bit difficult to achieve that.
But if the operator does not have a specific usage for the well
known ports, then it is safe to allocate those port to end users, just
like other common ports. Some tests have been done to confirm this.CriterionResultImplementationEasyPSID from port numberYesPort exclusionDifficultPort set typeContinuous with prefix, non-continuous otherwiseStatelessRequires BR to know mask, could be subscriber-independent.NAT complianceCare must be taken to avoid port overloading if mask varies
between subscribers.Sharing ratioCan vary from 1 to 65536 subscribers per address.The cryptographic port set definition algorithm introduced in can provide very good protection against port
guessing attacks, but it is very difficult to derive the port set
information, e.g., the starting point, from a given port number. This
algorithm can only be used in binding scenarios; the BR must operate
in per-subscriber state mode.CriterionResultImplementationDifficultPSID from port numberNo (note)Port exclusionDifficultPort set typeContinuous or non-continuousStatelessBinding mode only.NAT complianceCare must be taken to avoid port overloading.Sharing ratioCan vary from 1 to 65536 subscribers per address.Note: it may be possible to find a cryptographic algorithm which
can be reversed, e.g. define a reversible one-to-one mapping
algorithm. But that is out the scope of this memo. If strong
security is required, it may be worth giving this topic further
study.Currently there are three drafts supporting the GMA style
algorithm: MAP-E,
4rd-U, and
MAP-T, but they are not
exactly all the same. In MAP, a port set can be
defined by the following parameters:
R: sharing ratio;P: PSID;M: maximum number of contiguous ports.To derive the set of port numbers in the port set corresponding to
a given PSID value, the following equation can be used:
Port = (R * M) * i + M * PSID + j
where i and j are indices which vary within limits to provide the
different port numbers belonging to the port set. The range of i
depends on the value (R * M) and the range of j is from 0 to (M - 1).
If (R * M) is less than or equal to 2^15, ports (e.g, the well-
known ports 0-1023) can be excluded from the lower end by putting a
lower limit dependent on the value (R * M) on index i. In this case,
each port set defined by the algorithm consists of a series of ranges
of M consecutive port numbers at intervals of (R * M).On the other hand, if (R * M) is greater than 2^15, the first term
drops out of the above equation and a lower limit dependent on the
value of M has to be imposed on the value of PSID to exclude the well-
known ports. In this case, each PSID is associated with a single range
of M consecutive port numbers.The GMA is easily reversible. For a given port number, the
corresponding PSID is given by:
PSID = floor( (Port modulo (R * M)) / M))
If R and M are powers of 2, this becomes a mask operation. The mask
consists of 'a' high-order zeroes, followed by 'k' ones, followed by 'm'
low-order zeroes, where:
2^a = 65536/(R * M);2^m = M;k = 16 - a - m.
See .MAP-E defaults to a value of 'a' equal to 6. Thus by constraining
the index i to be >= 1, exactly the well-known port range is
excluded. Also, each port set consists of 63 equally-sized ranges of
consecutive values spaced 1024 ports apart.For a complete explanation of the GMA, see Appendix B of
.MAP-E embeds the PSID in the End User IPv6 Address provisioned on
the customer edge device. See . The PSID's
location within the address is determined from the Basic Mapping Rule
applicable to the subscriber. A mask to extract the PSID from that
address is described as follows:
High-order zeroes in the amount of (n + 32 - r) bits, where n is
the length of the IPv6 prefix in the Basic Mapping Rule and r is the
length of the IPv4 prefix in that rule. Ones in the amount of (r + o - 32) bits, where o is the number
of EA bits given by the rule.Zeroes for the remaining low-order portion of the address.
This operation is valid only if (r + o) is greater than 32. If not,
the IPv4 address or prefix assigned to the subscriber is unshared
and the customer edge device can use every port.Everything that was described in the previous section for MAP-E also
applies to 4rd-U, with two
differences. First, the mapping rule applicable to a particular customer
site includes an indication of whether the customer edge equipment is
permitted to use the well-known ports or whether they must be excluded. If the well-known ports are to be excluded, the default value of 'a'
(recall ) is 4 rather than 6. That means
that the port set consists of 15 rather than 63 ranges, spaced 4096
values apart. It also means that ports 0-4095 rather than ports 0-1023
are excluded. At an earlier point in time MAP-E had the same default,
for which the 4rd-U document provides arguments. However, it was
decided that the waste of ports entailed (which implies a 6% reduction
in the number of subscribers sharing the same IPv4 address) was a
sufficient reason to change. However, see for
new evidence on this point.If the well-known ports can be used, the default value of 'a' is
zero. That is, the PSID is positioned at the beginning of the port
number. As mentioned in the previous section, this implies that
subscribers assigned this mapping rule are assigned a single range of
consecutive ports. The subscribers assigned the lowest PSID values
receive port sets consisting partly or completely of well-known port
number values.MAP-T uses the same
algorithm to assign port sets to customer sites, this time with just
one difference. The default value of the offset 'a' is always 4. The
consequences in terms of wasted ports were spelled out in the previous
section.This section provides an evaluation of the GMA against our
comparison criteria.CriterionResultImplementationEasyPSID from port numberYesPort exclusionEasy, but using a value of the offset 'a' between 1 and 5 wastes
ports and hence reduces the maximum practical sharing ratio.Port set typeContinuous for 'a' = 0, non-continuous otherwiseStatelessNo subscriber-specific data required.NAT compliancePort sets are guaranteed to be non-overlapping.Sharing ratioEqual to 65536/(M * 2^a), where M is the range size for all
subscribers sharing the same address. See note. Note: a practical value of the total number of ports in the port
set is in the order of 400. Suppose one wants to guarantee each
subscriber at least this number of ports. Recall that the number of
equal ranges into which the port allocation is divided is equal to 1
for a = 0, 15 for a = 4, and 63 for a = 6. Because of the assumption
of equal range sizes, the number of ports M in each range has to be
rounded up in the general case to give a total number of ports at
least equal to 400. shows the consequent
impact on sharing ratio. The rounding effect very much dominates the
results. If the target were 305 ports instead, the sharing ratio would
be the same for all three values of a, since 305 is a multiple of 15
and 63.a2^a# RangesRange Size MTot. PortsRatio R0114004001634161527405151664637441146In , the value M is rounded up from
the ratio 400/N, where N is the number of separate ranges in the port
set. The total number of ports in the port set is this result
multiplied by the number of ranges. The sharing ratio is then the
stated 65536/(M * 2^a), rounded down to ensure every subscriber
sharing the address gets the same number of ports. For a = 0, this
ratio would be reduced by 3 to exclude the three ranges containing
well-known ports.The Generalized Modulus Algorithm (GMA) clearly comes the closest to
satisfying all of our criteria. As the example calculation in shows, the sharing ratio is sensitive to the
rounding necessary to guarantee at least a certain total number of ports
to each subscriber. In this regard, sensitivity will be higher for
larger values of the offset parameter 'a', leading to the surprising
result that for some ranges of values of the target total number of
ports, the sharing ratio will be less for a = 6 than for a = 4 even
though the latter wastefully excludes an extra 3072 ports. The sensitivity of this result to the target total number of ports
per subscriber is shown if one assumes that that number is 441 ports.
Then the sharing ratio for a = 6 remains at 146, but that for a = 4
drops to 136.The mask/value algorithm is really a generalization of the GMA. One has
the GMA if the one-bits of the mask are constrained to be consecutive. The
difference between the binding and fully stateless approaches lies not in
the algorithm itself, but in how the algorithm parameters are conveyed to
the border router. Binding uses per-subscriber rules. The fully stateless
approaches reviewed in this document use a combination of shared mapping
rules and information embedded in specially-constructed addresses.This memo includes no request to IANA.The major security consideration related to the subject matter of this
document is the vulnerability of port allocation to a port guessing
attack. See for details. The most important
factor in countering such an attack is to allocate ports randomly from the
assigned port set as they are required by different applications. However,
allocating port sets as non-continuous or random entities requires the
attacker to go to some extra effort in order to determine the complete
port set allocated to a subscriber. Thus resistance to port guessing
attacks is improved to a certain degree by allocating non-continuous port
sets. For the GMA, this means that non-zero values of the offset value 'a'
are to be preferred.
&RFC5382;
&RFC6056;
&RFC6431;
&RFC1332;
&RFC6333;
IPv4 Residual Deployment Via IPv6 - A Unified Stateless
Solution (4rd) (Work in progress)Huawei Technologies Co., LtdRD-IPtechCisco Systems, Inc.ComcastChina MobileFreebit Co, Ltd.Mapping of Address and Port (MAP) (Work in progress)Cisco SystemsCisco SystemsCERNET Center/Tsinghua UniversityCERNET Center/Tsinghua UniversitySoftBank TelecomIP InfusionHuawei TechnologiesMapping of Address and Port using Translation (MAP-T)CERNET Center/Tsinghua UniversityCERNET Center/Tsinghua UniversityCisco SystemsCisco SystemsSoftBank TelecomIP InfusionDynamic Host Configuration Protocol (DHCP) Option for Port Set
Assignment (Work in progress)Tsinghua UniversityComcastChina TelecomNokiaFrance TelecomLightweight 4over6: An Extension to the DS-Lite Architecture (Work in progress)Tsinghua UniversityChina TelecomFrance TelecomHuawei TechnologiesComcastDeutsche Telekom AGUnified IPv4-in-IPv6 Softwire CPE (Work in progress)France TelecomDeutsche TelekomAnalysis of Port Indexing AlgorithmsFrance TelecomVirisCisco Systems