idnits 2.17.1 draft-arkko-dual-stack-extra-lite-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 25, 2010) is 4924 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-11) exists of draft-ietf-softwire-dual-stack-lite-06 == Outdated reference: A later version (-06) exists of draft-arkko-townsley-coexistence-03 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Arkko 3 Internet-Draft Ericsson 4 Intended status: Standards Track L. Eggert 5 Expires: April 28, 2011 Nokia 6 October 25, 2010 8 Scalable Operation of Address Translators with Per-Interface Bindings 9 draft-arkko-dual-stack-extra-lite-02 11 Abstract 13 This document explains how to employ address translation in networks 14 that serve a large number of individual customers without requiring a 15 correspondingly large amount of private IPv4 address space. 17 Status of this Memo 19 This Internet-Draft is submitted to IETF in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that 24 other groups may also distribute working documents as Internet- 25 Drafts. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 The list of current Internet-Drafts can be accessed at 33 http://www.ietf.org/ietf/1id-abstracts.txt. 35 The list of Internet-Draft Shadow Directories can be accessed at 36 http://www.ietf.org/shadow.html. 38 This Internet-Draft will expire on April 28, 2011. 40 Copyright Notice 42 Copyright (c) 2010 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the BSD License. 55 1. Introduction 57 This document explains how to employ address translation without 58 consuming a large amount of private address space. This is important 59 in networks that serve a large number of individual customers. 60 Networks that serve more than 2^24 (16 million) users cannot assign a 61 unique private IPv4 address to each user, because the largest 62 reserved private address block reserved is 10/8 [RFC1918]. Many 63 networks are already hitting these limits today, for instance, in the 64 consumer Internet service market. Even some individual devices may 65 approach these limits, for instance, cellular network gateways or 66 mobile IP home agents. 68 If ample IPv4 address space was available, this would be a non-issue, 69 because the current practice of assigning public IPv4 addresses to 70 each user would remain viable, and the complications associated with 71 using the more limited private address space could be avoided. 72 However, as the IPv4 address pool is becoming depleted, this practice 73 is becoming increasingly difficult to sustain. 75 It has been suggested that more of the unassigned IPv4 space should 76 be converted for private use, in order to allow the provisioning of 77 larger networks with private IPv4 address space. At the time of 78 writing, the IANA "free pool" contained only 12 unallocated unicast 79 IPv4 /8 prefixes. Although reserving a few of those for private use 80 would create some breathing room for such deployments, it would not 81 result in a solution with long-term viability, would result in 82 significant operational and management overheads, and would further 83 reduce the number of available IPv4 addresses. 85 Segmenting a network into areas of overlapping private address space 86 is another possible technique, but it severely complicates the design 87 and operation of a network. 89 Finally, the transition to IPv6 will eventually eliminate these 90 addressing limitations. However, during the migration period when 91 IPv4 and IPv6 have to co-exist, there will be the need to reach IPv4 92 destinations, which involves the use of address or protocol 93 translation. 95 The rest of this document is organized as follows. Section 2 gives 96 an outline of the solution, Section 3 introduces some terms, 97 Section 4 specifies the required behavior for managing NAT bindings 98 and Section 5 discusses the use of this technique with IPv6. 100 2. Solution Outline 102 The need for address or protocol translation during the migration 103 period to IPv6 creates the opportunity to deploy these mechanisms in 104 a way that allows the support of a large user base without the need 105 for a correspondingly large IPv4 address block. 107 A Network Address Translator (NAT) is typically configured to connect 108 a network domain that uses private IPv4 addresses to the public 109 Internet. The NAT device - which is configured with a public IPv4 110 address - creates and maintains a mapping for each communication 111 session from a device inside the domain it serves to devices in the 112 public Internet. It does that by translating the packet flow of each 113 session such that the externally visible traffic uses only public 114 addresses. 116 In most NAT deployments, the network domain connected by the NAT to 117 the public Internet is a broadcast network sharing the same media, 118 where each individual device must have a unique IPv4 address. In 119 such deployments it is natural to also implement the NAT 120 functionality such that it uses this unique IPv4 address when looking 121 up which mapping should be used to translate a given communication 122 session. 124 It is important to note, however, that this is not an inherent 125 requirement. When other methods of identifying the correct mapping 126 are available, and the NAT is not connecting a shared-media broadcast 127 network to the Internet, there is no need to assign each device in 128 the domain a unique IPv4 address. 130 This is the case, for example, when the NAT connects devices to the 131 Internet that connect to it with individual point-to-point links. In 132 this case, it becomes possible to use the same private addresses many 133 times, making it possible to support any number of devices behind a 134 NAT using very few IPv4 addresses. 136 There are tunneling-based techniques to reach the same benefits, by 137 establishing new tunnels over any IP network 138 [I-D.ietf-softwire-dual-stack-lite]. However, where the point-to- 139 point links already exists, creating an additional layer of tunneling 140 is unnecessary (and even potentially harmful due to effects to the 141 Maximum Transfer Unit) MTU settings). The approach described in this 142 document can be implemented and deployed within a single device and 143 has no effect to hosts behind it. In addition, as no additional 144 layers of tunneling are introduced, there is no effect to the MTU. 145 It is also unnecessary to implement tunnel endpoint discovery, 146 security mechanisms or other aspects of a tunneling solution. In 147 fact, there are no changes to the devices behind the NAT. 149 Note, however, that existing tunnels are a common special case of 150 point-to-point links. For instance, cellular network gateways 151 terminate a large number of tunnels that are already needed for 152 mobility management reasons. Implementing the approach described in 153 this document is particularly attractive in such environments, given 154 that no additional tunneling mechanisms, negotiation, or host changes 155 are required. In addition, since there is no additional tunneling, 156 packets continue to take the same path as they would normally take. 157 Other commonly appearing network technology that may be of interest 158 include Point-to-Point Protocol (PPP) [RFC1661] links, PPP over 159 Ethernet (PPPoE) [RFC2516] encapsulation, Asynchronous Transfer Mode 160 (ATM) Permanent Virtual Circuits (PVCs), and per-subscriber virtual 161 LAN (VLAN) allocation in consumer broadband networks. 163 The approach described here also results overlapping private address 164 space, like the segmentation of the network to different areas. 165 However, this overlap is applied only at the network edges, and does 166 not impact routing or reachability of servers in a negative way. 168 3. Terms 170 In this document, the key words "MAY", "MUST, "MUST NOT", "OPTIONAL", 171 "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be interpreted as 172 described in [RFC2119]. 174 "NAT" in this document includes both "Basic NAT" and "Network 175 Address/Port Translator (NAPT)" as defined by [RFC2663]. The term 176 "NAT Session" is adapted from [RFC5382] and is defined as follows. 178 NAT Session - A NAT session is an association between a transport 179 layer session as seen in the internal realm and a session as seen in 180 the external realm, by virtue of NAT translation. The NAT session 181 will provide the translation glue between the two session 182 representations. 184 This document uses the term mapping as defined in [RFC4787] to refer 185 to state at the NAT necessary for network address and port 186 translation of sessions. 188 4. Per-Interface Bindings 190 To support a mode of operation that uses a fixed number of IPv4 191 addresses to serve an arbitrary number of devices, a NAT MUST manage 192 its mappings on a per-interface basis, by associating a particular 193 NAT session not only with the five tuples used for the transport 194 connection on both sides of the NAT, but also with the internal 195 interface on which the user device is connected to the NAT. This 196 approach allows each internal interface to use the same private IPv4 197 address range. Note that the interface need not be physical, it may 198 also correspond to a tunnel, VLAN, or other identifiable 199 communications channel. 201 For deployments where exactly one user device is connected with a 202 separate tunnel interface and all tunnels use the same IPv4 address 203 for the user devices, it is redundant to store this address in the 204 mapping in addition to the internal interface identifier. When the 205 internal interface identifier is shorter than a 32-bit IPv4 address, 206 this may decrease the storage requirements of a mapping entry by a 207 small measure, which may aid NAT scalability. For other deployments, 208 it is likely necessary to store both the user device IPv4 address and 209 the internal interface identifier, which slightly increases the size 210 of the mapping entry. 212 This mode of operation is only suitable in deployments where user 213 devices connect to the NAT over point-to-point links. If supported, 214 this mode of operation SHOULD be configurable, and it should be 215 disabled by default in general-purpose NAT devices. 217 5. IPv6 Considerations 219 Private address space conservation is important even during the 220 migration to IPv6, because it will be necessary to communicate with 221 the IPv4 Internet for a long time. This document specifies two 222 recommended deployment models for IPv6. In the first deployment 223 model the mechanisms specified in this document are useful. In the 224 second deployment model no additional mechanisms are needed, because 225 IPv6 addresses are already sufficient to distinguish mappings from 226 each other. 228 The first deployment model employs dual stack [RFC4213]. The IPv6 229 side of dual stack operates based on global addresses and direct end- 230 to-end communication. However, on the IPv4 side private addressing 231 and NATs are a necessity. The use of per-interface NAT mappings is 232 RECOMMENDED for the IPv4 side under these circumstances. Per- 233 interface mappings help the NAT scale, while dual stack operation 234 helps reduce the pressure on the NAT device by moving key types of 235 traffic to IPv6, eliminating the need for NAT processing. 237 The second deployment model involves the use of address and protocol 238 translation, such as the one defined in 239 [I-D.ietf-behave-v6v4-xlate-stateful]. In this deployment model 240 there is no IPv4 in the internal network at all. This model is 241 applicable only in situations where all relevant devices and 242 applications are IPv6-capable. In this situation, per-interface 243 mappings could be employed as specified above, but they are generally 244 unnecessary as the IPv6 address space is large enough to provide a 245 sufficient number of mappings. 247 6. Security Considerations 249 This practices outlined in this document do not affect the security 250 properties of address translation. 252 7. IANA Considerations 254 This document has no IANA implications. 256 8. References 258 8.1. Normative References 260 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 261 Requirement Levels", BCP 14, RFC 2119, March 1997. 263 8.2. Informative References 265 [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, 266 RFC 1661, July 1994. 268 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 269 E. Lear, "Address Allocation for Private Internets", 270 BCP 5, RFC 1918, February 1996. 272 [RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D., 273 and R. Wheeler, "A Method for Transmitting PPP Over 274 Ethernet (PPPoE)", RFC 2516, February 1999. 276 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 277 Translator (NAT) Terminology and Considerations", 278 RFC 2663, August 1999. 280 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms 281 for IPv6 Hosts and Routers", RFC 4213, October 2005. 283 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 284 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 285 RFC 4787, January 2007. 287 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 288 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 289 RFC 5382, October 2008. 291 [I-D.ietf-softwire-dual-stack-lite] 292 Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 293 Stack Lite Broadband Deployments Following IPv4 294 Exhaustion", draft-ietf-softwire-dual-stack-lite-06 (work 295 in progress), August 2010. 297 [I-D.arkko-townsley-coexistence] 298 Arkko, J. and M. Townsley, "IPv4 Run-Out and IPv4-IPv6 Co- 299 Existence Scenarios", draft-arkko-townsley-coexistence-03 300 (work in progress), July 2009. 302 [I-D.ietf-behave-v6v4-xlate-stateful] 303 Bagnulo, M., Matthews, P., and I. Beijnum, "Stateful 304 NAT64: Network Address and Protocol Translation from IPv6 305 Clients to IPv4 Servers", 306 draft-ietf-behave-v6v4-xlate-stateful-12 (work in 307 progress), July 2010. 309 [I-D.miles-behave-l2nat] 310 Miles, D. and M. Townsley, "Layer2-Aware NAT", 311 draft-miles-behave-l2nat-00 (work in progress), 312 March 2009. 314 [TRILOGY] "Trilogy Project", http://www.trilogy-project.org/. 316 Appendix A. Contributors 318 The ideas in this draft were first presented in 319 [I-D.ietf-softwire-dual-stack-lite]. This document also in debt to 320 [I-D.arkko-townsley-coexistence] and [I-D.miles-behave-l2nat]. 321 However, all of these documents focused on additional components, 322 such as tunneling protocols or the allocation of special IP address 323 ranges. We wanted to publish a specification that just focuses on 324 the core functionality of a per-interface NAT mappings. However, 325 Mark Townsley, David Miles, and Alain Durand should be credited with 326 coming up with the ideas discussed in this memo. 328 Appendix B. Acknowledgments 330 The authors would also like to thank Randy Bush, Fredrik Garneij, Dan 331 Wing, Christian Vogt, Marcelo Braun, Joel Halpern, Wassim Haddad, 332 Alan Kavanaugh and others for interesting discussions in this problem 333 space. 335 Lars Eggert is partly funded by the Trilogy Project [TRILOGY], a 336 research project supported by the European Commission under its 337 Seventh Framework Program. 339 Authors' Addresses 341 Jari Arkko 342 Ericsson 343 Jorvas 02420 344 Finland 346 Email: jari.arkko@piuha.net 348 Lars Eggert 349 Nokia Research Center 350 P.O. Box 407 351 Nokia Group 00045 352 Finland 354 Phone: +358 50 48 24461 355 Email: lars.eggert@nokia.com 356 URI: http://research.nokia.com/people/lars_eggert/