idnits 2.17.1 draft-arkko-dual-stack-extra-lite-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 4, 2011) is 4829 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-11) exists of draft-ietf-softwire-dual-stack-lite-06 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Arkko 3 Internet-Draft Ericsson 4 Intended status: Standards Track L. Eggert 5 Expires: August 8, 2011 Nokia 6 M. Townsley 7 Cisco 8 February 4, 2011 10 Scalable Operation of Address Translators with Per-Interface Bindings 11 draft-arkko-dual-stack-extra-lite-04 13 Abstract 15 This document explains how to employ address translation in networks 16 that serve a large number of individual customers without requiring a 17 correspondingly large amount of private IPv4 address space. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on August 8, 2011. 36 Copyright Notice 38 Copyright (c) 2011 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 1. Introduction 53 This document explains how to employ address translation without 54 consuming a large amount of private address space. This is important 55 in networks that serve a large number of individual customers. 56 Networks that serve more than 2^24 (16 million) users cannot assign a 57 unique private IPv4 address to each user, because the largest 58 reserved private address block reserved is 10/8 [RFC1918]. Many 59 networks are already hitting these limits today, for instance, in the 60 consumer Internet service market. Even some individual devices may 61 approach these limits, for instance, cellular network gateways or 62 mobile IP home agents. 64 If ample IPv4 address space was available, this would be a non-issue, 65 because the current practice of assigning public IPv4 addresses to 66 each user would remain viable, and the complications associated with 67 using the more limited private address space could be avoided. 68 However, as the IPv4 address pool is becoming depleted, this practice 69 is becoming increasingly difficult to sustain. 71 It has been suggested that more of the unassigned IPv4 space should 72 be converted for private use, in order to allow the provisioning of 73 larger networks with private IPv4 address space. At the time of 74 writing, the IANA "free pool" contained only 12 unallocated unicast 75 IPv4 /8 prefixes. Although reserving a few of those for private use 76 would create some breathing room for such deployments, it would not 77 result in a solution with long-term viability, would result in 78 significant operational and management overheads, and would further 79 reduce the number of available IPv4 addresses. 81 Segmenting a network into areas of overlapping private address space 82 is another possible technique, but it severely complicates the design 83 and operation of a network. 85 Finally, the transition to IPv6 will eventually eliminate these 86 addressing limitations. However, during the migration period when 87 IPv4 and IPv6 have to co-exist, there will be the need to reach IPv4 88 destinations, which involves the use of address or protocol 89 translation. 91 The rest of this document is organized as follows. Section 2 gives 92 an outline of the solution, Section 3 introduces some terms, 93 Section 4 specifies the required behavior for managing NAT bindings 94 and Section 5 discusses the use of this technique with IPv6. 96 2. Solution Outline 98 The need for address or protocol translation during the migration 99 period to IPv6 creates the opportunity to deploy these mechanisms in 100 a way that allows the support of a large user base without the need 101 for a correspondingly large IPv4 address block. 103 A Network Address Translator (NAT) is typically configured to connect 104 a network domain that uses private IPv4 addresses to the public 105 Internet. The NAT device - which is configured with a public IPv4 106 address - creates and maintains a mapping for each communication 107 session from a device inside the domain it serves to devices in the 108 public Internet. It does that by translating the packet flow of each 109 session such that the externally visible traffic uses only public 110 addresses. 112 In many NAT deployments, the network domain connected by the NAT to 113 the public Internet is a broadcast network sharing the same media, 114 where each individual device must have a private IPv4 address that is 115 unique within this network. In such deployments it is natural to 116 also implement the NAT functionality such that it uses the private 117 IPv4 address when looking up which mapping should be used to 118 translate a given communication session. 120 It is important to note, however, that this is not an inherent 121 requirement. When other methods of identifying the correct mapping 122 are available, and the NAT is not connecting a shared-media broadcast 123 network to the Internet, there is no need to assign each device in 124 the domain a unique IPv4 address. 126 This is the case, for example, when the NAT connects devices to the 127 Internet that connect to it with individual point-to-point links. In 128 this case, it becomes possible to use the same private addresses many 129 times, making it possible to support any number of devices behind a 130 NAT using very few IPv4 addresses. 132 There are tunneling-based techniques to reach the same benefits, by 133 establishing new tunnels over any IP network 134 [I-D.ietf-softwire-dual-stack-lite]. However, where the point-to- 135 point links already exists, creating an additional layer of tunneling 136 is unnecessary (and even potentially harmful due to effects to the 137 Maximum Transfer Unit) MTU settings). The approach described in this 138 document can be implemented and deployed within a single device and 139 has no effect to hosts behind it. In addition, as no additional 140 layers of tunneling are introduced, there is no effect to the MTU. 141 It is also unnecessary to implement tunnel endpoint discovery, 142 security mechanisms or other aspects of a tunneling solution. In 143 fact, there are no changes to the devices behind the NAT. 145 Note, however, that existing tunnels are a common special case of 146 point-to-point links. For instance, cellular network gateways 147 terminate a large number of tunnels that are already needed for 148 mobility management reasons. Implementing the approach described in 149 this document is particularly attractive in such environments, given 150 that no additional tunneling mechanisms, negotiation, or host changes 151 are required. In addition, since there is no additional tunneling, 152 packets continue to take the same path as they would normally take. 153 Other commonly appearing network technology that may be of interest 154 include Point-to-Point Protocol (PPP) [RFC1661] links, PPP over 155 Ethernet (PPPoE) [RFC2516] encapsulation, Asynchronous Transfer Mode 156 (ATM) Permanent Virtual Circuits (PVCs), and per-subscriber virtual 157 LAN (VLAN) allocation in consumer broadband networks. 159 The approach described here also results overlapping private address 160 space, like the segmentation of the network to different areas. 161 However, this overlap is applied only at the network edges, and does 162 not impact routing or reachability of servers in a negative way. 164 3. Terms 166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 168 document are to be interpreted as described in [RFC2119]. 170 "NAT" in this document includes both "Basic NAT" and "Network 171 Address/Port Translator (NAPT)" as defined by [RFC2663]. The term 172 "NAT Session" is adapted from [RFC5382] and is defined as follows. 174 NAT Session - A NAT session is an association between a transport 175 layer session as seen in the internal realm and a session as seen in 176 the external realm, by virtue of NAT translation. The NAT session 177 will provide the translation glue between the two session 178 representations. 180 This document uses the term mapping as defined in [RFC4787] to refer 181 to state at the NAT necessary for network address and port 182 translation of sessions. 184 4. Per-Interface Bindings 186 To support a mode of operation that uses a fixed number of IPv4 187 addresses to serve an arbitrary number of devices, a NAT MUST manage 188 its mappings on a per-interface basis, by associating a particular 189 NAT session not only with the five tuples used for the transport 190 connection on both sides of the NAT, but also with the internal 191 interface on which the user device is connected to the NAT. This 192 approach allows each internal interface to use the same private IPv4 193 address range. Note that the interface need not be physical, it may 194 also correspond to a tunnel, VLAN, or other identifiable 195 communications channel. 197 For deployments where exactly one user device is connected with a 198 separate tunnel interface and all tunnels use the same IPv4 address 199 for the user devices, it is redundant to store this address in the 200 mapping in addition to the internal interface identifier. When the 201 internal interface identifier is shorter than a 32-bit IPv4 address, 202 this may decrease the storage requirements of a mapping entry by a 203 small measure, which may aid NAT scalability. For other deployments, 204 it is likely necessary to store both the user device IPv4 address and 205 the internal interface identifier, which slightly increases the size 206 of the mapping entry. 208 This mode of operation is only suitable in deployments where user 209 devices connect to the NAT over point-to-point links. If supported, 210 this mode of operation SHOULD be configurable, and it should be 211 disabled by default in general-purpose NAT devices. 213 5. IPv6 Considerations 215 Private address space conservation is important even during the 216 migration to IPv6, because it will be necessary to communicate with 217 the IPv4 Internet for a long time. This document specifies two 218 recommended deployment models for IPv6. In the first deployment 219 model the mechanisms specified in this document are useful. In the 220 second deployment model no additional mechanisms are needed, because 221 IPv6 addresses are already sufficient to distinguish mappings from 222 each other. 224 The first deployment model employs dual stack [RFC4213]. The IPv6 225 side of dual stack operates based on global addresses and direct end- 226 to-end communication. However, on the IPv4 side private addressing 227 and NATs are a necessity. The use of per-interface NAT mappings is 228 RECOMMENDED for the IPv4 side under these circumstances. Per- 229 interface mappings help the NAT scale, while dual stack operation 230 helps reduce the pressure on the NAT device by moving key types of 231 traffic to IPv6, eliminating the need for NAT processing. 233 The second deployment model involves the use of address and protocol 234 translation, such as the one defined in 235 [I-D.ietf-behave-v6v4-xlate-stateful]. In this deployment model 236 there is no IPv4 in the internal network at all. This model is 237 applicable only in situations where all relevant devices and 238 applications are IPv6-capable. In this situation, per-interface 239 mappings could be employed as specified above, but they are generally 240 unnecessary as the IPv6 address space is large enough to provide a 241 sufficient number of mappings. 243 6. Security Considerations 245 The practices outlined in this document do not affect the security 246 properties of address translation. The binding method specified in 247 this document is not observable to a device that is on the outside of 248 the NAT; i.e., a regular NAT and a NAT specified here cannot be 249 distinguished. However, the use of point-to-point links implies 250 naturally that the devices behind the NAT cannot communicate with 251 each other directly without going through the NAT (or a router). The 252 use of same address space for different devices implies in addition 253 that a NAT operation must occur between two devices in order for them 254 to communicate. 256 The security implications of address translation in general have been 257 discussed in many previous documents, including [RFC2663] [RFC2993] 258 [RFC4787], and [RFC5382]. 260 7. IANA Considerations 262 This document has no IANA implications. 264 8. References 266 8.1. Normative References 268 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 269 Requirement Levels", BCP 14, RFC 2119, March 1997. 271 8.2. Informative References 273 [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, 274 RFC 1661, July 1994. 276 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 277 E. Lear, "Address Allocation for Private Internets", 278 BCP 5, RFC 1918, February 1996. 280 [RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D., 281 and R. Wheeler, "A Method for Transmitting PPP Over 282 Ethernet (PPPoE)", RFC 2516, February 1999. 284 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 285 Translator (NAT) Terminology and Considerations", 286 RFC 2663, August 1999. 288 [RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993, 289 November 2000. 291 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms 292 for IPv6 Hosts and Routers", RFC 4213, October 2005. 294 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 295 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 296 RFC 4787, January 2007. 298 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 299 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 300 RFC 5382, October 2008. 302 [I-D.ietf-softwire-dual-stack-lite] 303 Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 304 Stack Lite Broadband Deployments Following IPv4 305 Exhaustion", draft-ietf-softwire-dual-stack-lite-06 (work 306 in progress), August 2010. 308 [I-D.arkko-townsley-coexistence] 309 Arkko, J. and M. Townsley, "IPv4 Run-Out and IPv4-IPv6 Co- 310 Existence Scenarios", draft-arkko-townsley-coexistence-06 311 (work in progress), October 2010. 313 [I-D.ietf-behave-v6v4-xlate-stateful] 314 Bagnulo, M., Matthews, P., and I. Beijnum, "Stateful 315 NAT64: Network Address and Protocol Translation from IPv6 316 Clients to IPv4 Servers", 317 draft-ietf-behave-v6v4-xlate-stateful-12 (work in 318 progress), July 2010. 320 [I-D.miles-behave-l2nat] 321 Miles, D. and M. Townsley, "Layer2-Aware NAT", 322 draft-miles-behave-l2nat-00 (work in progress), 323 March 2009. 325 [TRILOGY] "Trilogy Project", http://www.trilogy-project.org/. 327 Appendix A. Contributors 329 The ideas in this draft were first presented in 330 [I-D.ietf-softwire-dual-stack-lite]. This document also in debt to 332 [I-D.arkko-townsley-coexistence] and [I-D.miles-behave-l2nat]. 333 However, all of these documents focused on additional components, 334 such as tunneling protocols or the allocation of special IP address 335 ranges. We wanted to publish a specification that just focuses on 336 the core functionality of a per-interface NAT mappings. However, 337 David Miles, and Alain Durand should be credited with coming up with 338 the ideas discussed in this memo. 340 Appendix B. Acknowledgments 342 The authors would also like to thank Randy Bush, Fredrik Garneij, Dan 343 Wing, Christian Vogt, Marcelo Braun, Joel Halpern, Wassim Haddad, 344 Alan Kavanaugh and others for interesting discussions in this problem 345 space. 347 Lars Eggert is partly funded by the Trilogy Project [TRILOGY], a 348 research project supported by the European Commission under its 349 Seventh Framework Program. 351 Authors' Addresses 353 Jari Arkko 354 Ericsson 355 Jorvas 02420 356 Finland 358 Email: jari.arkko@piuha.net 360 Lars Eggert 361 Nokia Research Center 362 P.O. Box 407 363 Nokia Group 00045 364 Finland 366 Phone: +358 50 48 24461 367 Email: lars.eggert@nokia.com 368 URI: http://research.nokia.com/people/lars_eggert/ 369 Mark Townsley 370 Cisco 371 Paris 75006 372 France 374 Email: townsley@cisco.com