idnits 2.17.1 draft-arkko-dual-stack-extra-lite-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 4, 2011) is 4822 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-11) exists of draft-ietf-softwire-dual-stack-lite-06 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Arkko 3 Internet-Draft Ericsson 4 Intended status: Standards Track L. Eggert 5 Expires: August 8, 2011 Nokia 6 M. Townsley 7 Cisco 8 February 4, 2011 10 Scalable Operation of Address Translators with Per-Interface Bindings 11 draft-arkko-dual-stack-extra-lite-05 13 Abstract 15 This document explains how to employ address translation in networks 16 that serve a large number of individual customers without requiring a 17 correspondingly large amount of private IPv4 address space. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on August 8, 2011. 36 Copyright Notice 38 Copyright (c) 2011 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 1. Introduction 53 This document explains how to employ address translation without 54 consuming a large amount of private address space. This is important 55 in networks that serve a large number of individual customers. 56 Networks that serve more than 2^24 (16 million) users cannot assign a 57 unique private IPv4 address to each user, because the largest 58 reserved private address block reserved is 10/8 [RFC1918]. Many 59 networks are already hitting these limits today, for instance, in the 60 consumer Internet service market. Even some individual devices may 61 approach these limits, for instance, cellular network gateways or 62 mobile IP home agents. 64 If ample IPv4 address space was available, this would be a non-issue, 65 because the current practice of assigning public IPv4 addresses to 66 each user would remain viable, and the complications associated with 67 using the more limited private address space could be avoided. 68 However, as the IPv4 address pool is becoming depleted, this practice 69 is becoming increasingly difficult to sustain. 71 It has been suggested that more of the unassigned IPv4 space should 72 be converted for private use, in order to allow the provisioning of 73 larger networks with private IPv4 address space. At the time of 74 writing, the IANA "free pool" contained only 12 unallocated unicast 75 IPv4 /8 prefixes. Although reserving a few of those for private use 76 would create some breathing room for such deployments, it would not 77 result in a solution with long-term viability, would result in 78 significant operational and management overheads, and would further 79 reduce the number of available IPv4 addresses. 81 Segmenting a network into areas of overlapping private address space 82 is another possible technique, but it severely complicates the design 83 and operation of a network. 85 Finally, the transition to IPv6 will eventually eliminate these 86 addressing limitations. However, during the migration period when 87 IPv4 and IPv6 have to co-exist, there will be the need to reach IPv4 88 destinations, which involves the use of address or protocol 89 translation. 91 The rest of this document is organized as follows. Section 2 gives 92 an outline of the solution, Section 3 introduces some terms, 93 Section 4 specifies the required behavior for managing NAT bindings 94 and Section 5 discusses the use of this technique with IPv6. 96 2. Solution Outline 98 The need for address or protocol translation during the migration 99 period to IPv6 creates the opportunity to deploy these mechanisms in 100 a way that allows the support of a large user base without the need 101 for a correspondingly large IPv4 address block. 103 A Network Address Translator (NAT) is typically configured to connect 104 a network domain that uses private IPv4 addresses to the public 105 Internet. The NAT device - which is configured with a public IPv4 106 address - creates and maintains a mapping for each communication 107 session from a device inside the domain it serves to devices in the 108 public Internet. It does that by translating the packet flow of each 109 session such that the externally visible traffic uses only public 110 addresses. 112 In many NAT deployments, the network domain connected by the NAT to 113 the public Internet is a broadcast network sharing the same media, 114 where each individual device must have a private IPv4 address that is 115 unique within this network. In such deployments it is natural to 116 also implement the NAT functionality such that it uses the private 117 IPv4 address when looking up which mapping should be used to 118 translate a given communication session. 120 It is important to note, however, that this is not an inherent 121 requirement. When other methods of identifying the correct mapping 122 are available, and the NAT is not connecting a shared-media broadcast 123 network to the Internet, there is no need to assign each device in 124 the domain a unique IPv4 address. 126 This is the case, for example, when the NAT connects devices to the 127 Internet that connect to it with individual point-to-point links. In 128 this case, it becomes possible to use the same private addresses many 129 times, making it possible to support any number of devices behind a 130 NAT using very few IPv4 addresses. 132 There are tunneling-based techniques to reach the same benefits, by 133 establishing new tunnels over any IP network 134 [I-D.ietf-softwire-dual-stack-lite]. However, where the point-to- 135 point links already exists, creating an additional layer of tunneling 136 is unnecessary (and even potentially harmful due to effects to the 137 Maximum Transfer Unit) MTU settings). The approach described in this 138 document can be implemented and deployed within a single device and 139 has no effect to hosts behind it. In addition, as no additional 140 layers of tunneling are introduced, there is no effect to the MTU. 141 It is also unnecessary to implement tunnel endpoint discovery, 142 security mechanisms or other aspects of a tunneling solution. In 143 fact, there are no changes to the devices behind the NAT. 145 Note, however, that existing tunnels are a common special case of 146 point-to-point links. For instance, cellular network gateways 147 terminate a large number of tunnels that are already needed for 148 mobility management reasons. Implementing the approach described in 149 this document is particularly attractive in such environments, given 150 that no additional tunneling mechanisms, negotiation, or host changes 151 are required. In addition, since there is no additional tunneling, 152 packets continue to take the same path as they would normally take. 153 Other commonly appearing network technology that may be of interest 154 include Point-to-Point Protocol (PPP) [RFC1661] links, PPP over 155 Ethernet (PPPoE) [RFC2516] encapsulation, Asynchronous Transfer Mode 156 (ATM) Permanent Virtual Circuits (PVCs), and per-subscriber virtual 157 LAN (VLAN) allocation in consumer broadband networks. 159 The approach described here also results overlapping private address 160 space, like the segmentation of the network to different areas. 161 However, this overlap is applied only at the network edges, and does 162 not impact routing or reachability of servers in a negative way. 164 3. Terms 166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 168 document are to be interpreted as described in [RFC2119]. 170 "NAT" in this document includes both "Basic NAT" and "Network 171 Address/Port Translator (NAPT)" as defined by [RFC2663]. The term 172 "NAT Session" is adapted from [RFC5382] and is defined as follows. 174 NAT Session - A NAT session is an association between a transport 175 layer session as seen in the internal realm and a session as seen in 176 the external realm, by virtue of NAT translation. The NAT session 177 will provide the translation glue between the two session 178 representations. 180 This document uses the term mapping as defined in [RFC4787] to refer 181 to state at the NAT necessary for network address and port 182 translation of sessions. 184 4. Per-Interface Bindings 186 To support a mode of operation that uses a fixed number of IPv4 187 addresses to serve an arbitrary number of devices, a NAT MUST manage 188 its mappings on a per-interface basis, by associating a particular 189 NAT session not only with the five tuples used for the transport 190 connection on both sides of the NAT, but also with the internal 191 interface on which the user device is connected to the NAT. This 192 approach allows each internal interface to use the same private IPv4 193 address range. Note that the interface need not be physical, it may 194 also correspond to a tunnel, VLAN, or other identifiable 195 communications channel. 197 For deployments where exactly one user device is connected with a 198 separate tunnel interface and all tunnels use the same IPv4 address 199 for the user devices, it is redundant to store this address in the 200 mapping in addition to the internal interface identifier. When the 201 internal interface identifier is shorter than a 32-bit IPv4 address, 202 this may decrease the storage requirements of a mapping entry by a 203 small measure, which may aid NAT scalability. For other deployments, 204 it is likely necessary to store both the user device IPv4 address and 205 the internal interface identifier, which slightly increases the size 206 of the mapping entry. 208 This mode of operation is only suitable in deployments where user 209 devices connect to the NAT over point-to-point links. If supported, 210 this mode of operation SHOULD be configurable, and it should be 211 disabled by default in general-purpose NAT devices. 213 All address translators make it hard to address devices behind them. 214 The same is true of the particular NAT variant described in this 215 document. An additional constraint is caused by the use of the same 216 address space for different devices behind the NAT, which prevents 217 the use of unique private addresses for communication between devices 218 behind the same NAT. 220 5. IPv6 Considerations 222 Private address space conservation is important even during the 223 migration to IPv6, because it will be necessary to communicate with 224 the IPv4 Internet for a long time. This document specifies two 225 recommended deployment models for IPv6. In the first deployment 226 model the mechanisms specified in this document are useful. In the 227 second deployment model no additional mechanisms are needed, because 228 IPv6 addresses are already sufficient to distinguish mappings from 229 each other. 231 The first deployment model employs dual stack [RFC4213]. The IPv6 232 side of dual stack operates based on global addresses and direct end- 233 to-end communication. However, on the IPv4 side private addressing 234 and NATs are a necessity. The use of per-interface NAT mappings is 235 RECOMMENDED for the IPv4 side under these circumstances. Per- 236 interface mappings help the NAT scale, while dual stack operation 237 helps reduce the pressure on the NAT device by moving key types of 238 traffic to IPv6, eliminating the need for NAT processing. 240 The second deployment model involves the use of address and protocol 241 translation, such as the one defined in 242 [I-D.ietf-behave-v6v4-xlate-stateful]. In this deployment model 243 there is no IPv4 in the internal network at all. This model is 244 applicable only in situations where all relevant devices and 245 applications are IPv6-capable. In this situation, per-interface 246 mappings could be employed as specified above, but they are generally 247 unnecessary as the IPv6 address space is large enough to provide a 248 sufficient number of mappings. 250 6. Security Considerations 252 The practices outlined in this document do not affect the security 253 properties of address translation. The binding method specified in 254 this document is not observable to a device that is on the outside of 255 the NAT; i.e., a regular NAT and a NAT specified here cannot be 256 distinguished. However, the use of point-to-point links implies 257 naturally that the devices behind the NAT cannot communicate with 258 each other directly without going through the NAT (or a router). The 259 use of same address space for different devices implies in addition 260 that a NAT operation must occur between two devices in order for them 261 to communicate. 263 The security implications of address translation in general have been 264 discussed in many previous documents, including [RFC2663] [RFC2993] 265 [RFC4787], and [RFC5382]. 267 7. IANA Considerations 269 This document has no IANA implications. 271 8. References 273 8.1. Normative References 275 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 276 Requirement Levels", BCP 14, RFC 2119, March 1997. 278 8.2. Informative References 280 [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, 281 RFC 1661, July 1994. 283 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 284 E. Lear, "Address Allocation for Private Internets", 285 BCP 5, RFC 1918, February 1996. 287 [RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D., 288 and R. Wheeler, "A Method for Transmitting PPP Over 289 Ethernet (PPPoE)", RFC 2516, February 1999. 291 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 292 Translator (NAT) Terminology and Considerations", 293 RFC 2663, August 1999. 295 [RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993, 296 November 2000. 298 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms 299 for IPv6 Hosts and Routers", RFC 4213, October 2005. 301 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 302 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 303 RFC 4787, January 2007. 305 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 306 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 307 RFC 5382, October 2008. 309 [I-D.ietf-softwire-dual-stack-lite] 310 Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 311 Stack Lite Broadband Deployments Following IPv4 312 Exhaustion", draft-ietf-softwire-dual-stack-lite-06 (work 313 in progress), August 2010. 315 [I-D.arkko-townsley-coexistence] 316 Arkko, J. and M. Townsley, "IPv4 Run-Out and IPv4-IPv6 Co- 317 Existence Scenarios", draft-arkko-townsley-coexistence-06 318 (work in progress), October 2010. 320 [I-D.ietf-behave-v6v4-xlate-stateful] 321 Bagnulo, M., Matthews, P., and I. Beijnum, "Stateful 322 NAT64: Network Address and Protocol Translation from IPv6 323 Clients to IPv4 Servers", 324 draft-ietf-behave-v6v4-xlate-stateful-12 (work in 325 progress), July 2010. 327 [I-D.miles-behave-l2nat] 328 Miles, D. and M. Townsley, "Layer2-Aware NAT", 329 draft-miles-behave-l2nat-00 (work in progress), 330 March 2009. 332 [TRILOGY] "Trilogy Project", http://www.trilogy-project.org/. 334 Appendix A. Contributors 336 The ideas in this draft were first presented in 337 [I-D.ietf-softwire-dual-stack-lite]. This document also in debt to 338 [I-D.arkko-townsley-coexistence] and [I-D.miles-behave-l2nat]. 339 However, all of these documents focused on additional components, 340 such as tunneling protocols or the allocation of special IP address 341 ranges. We wanted to publish a specification that just focuses on 342 the core functionality of a per-interface NAT mappings. However, 343 David Miles, and Alain Durand should be credited with coming up with 344 the ideas discussed in this memo. 346 Appendix B. Acknowledgments 348 The authors would also like to thank Randy Bush, Fredrik Garneij, Dan 349 Wing, Christian Vogt, Marcelo Braun, Joel Halpern, Wassim Haddad, 350 Alan Kavanaugh and others for interesting discussions in this problem 351 space. 353 Lars Eggert is partly funded by the Trilogy Project [TRILOGY], a 354 research project supported by the European Commission under its 355 Seventh Framework Program. 357 Authors' Addresses 359 Jari Arkko 360 Ericsson 361 Jorvas 02420 362 Finland 364 Email: jari.arkko@piuha.net 366 Lars Eggert 367 Nokia Research Center 368 P.O. Box 407 369 Nokia Group 00045 370 Finland 372 Phone: +358 50 48 24461 373 Email: lars.eggert@nokia.com 374 URI: http://research.nokia.com/people/lars_eggert/ 375 Mark Townsley 376 Cisco 377 Paris 75006 378 France 380 Email: townsley@cisco.com