idnits 2.17.1 draft-cheng-behave-cgn-cfg-radius-ext-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 17, 2013) is 3776 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 5176 == Outdated reference: A later version (-13) exists of draft-ietf-softwire-lw4over6-03 -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei Technologies 4 Intended status: Standards Track J. Korhonen 5 Expires: June 20, 2014 Broadcom 6 M. Boucadair 7 France Telecom 8 S. Sivakumar 9 Cisco Systems 10 December 17, 2013 12 RADIUS Extensions for Port Set Configuration and Reporting 13 draft-cheng-behave-cgn-cfg-radius-ext-07 15 Abstract 17 This document defines new RADIUS attributes that can be used by a 18 device implementing port ranges to communicate with a RADIUS server 19 to configure and/or report TCP/UDP port sets and ICMP identifiers 20 mapping behavior for specific hosts. This mechanism can be used in 21 various deployment scenarios such as CGN, NAT64, Provider WiFi 22 Gateway, etc. 24 This document does not make any assumption about the deployment 25 context. 27 Requirements Language 29 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 30 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 31 document are to be interpreted as described in RFC 2119 [RFC2119]. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on June 20, 2014. 50 Copyright Notice 52 Copyright (c) 2013 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3. RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . 5 70 3.1. Port-Session-Limit Attribute . . . . . . . . . . . . . . 5 71 3.2. Port-Session-Range Attribute . . . . . . . . . . . . . . 7 72 3.3. Port-Forwarding-Map Attribute . . . . . . . . . . . . . . 9 73 4. Applications, Use Cases and Examples . . . . . . . . . . . . 11 74 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 11 75 4.1.1. Configure CGN Session Limit . . . . . . . . . . . . . 12 76 4.1.2. Report CGN Session Allocation or De-allocation . . . 14 77 4.1.3. Configure CGN Forwarding Port Mapping . . . . . . . . 16 78 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 18 79 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 19 80 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 20 81 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 82 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 83 7.1. RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 21 84 7.2. Name Spaces . . . . . . . . . . . . . . . . . . . . . . . 21 85 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 86 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 87 9.1. Normative References . . . . . . . . . . . . . . . . . . 21 88 9.2. Informative References . . . . . . . . . . . . . . . . . 22 89 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 91 1. Introduction 93 In a broadband network, customer information is usually stored on a 94 RADIUS server [RFC2865] and at the time when a user initiates an IP 95 connection request, the RADIUS server will populate the user's 96 configuration information to the Network Access Server (NAS), which 97 is usually co-located with the Border Network Gateway (BNG), after 98 the connection request is granted. The Carrier Grade NAT (CGN) 99 function may also implemented on the BNG, and therefore CGN TCP/UDP 100 port (or ICMP identifier) mapping behavior can be configured on the 101 RADIUS server as part of the user profile, and populated to the NAS 102 in the same manner. In addition, during the operation, the CGN can 103 also convey port/identifier mapping behavior specific to a user to 104 the RADIUS server, as part of the normal RADIUS accounting process. 106 The CGN device that communicates with a RADIUS server using RADIUS 107 extensions defined in this document may perform NAT44 [RFC3022], 108 NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function. 110 For the CGN example, when IP packets traverse a CGN, it would perform 111 TCP/UDP source port mapping or ICMP identifier mapping as required. 112 A TCP/ UDP source port or ICMP identifier, along with source IP 113 address, destination IP address, destination port and protocol 114 identifier if applicable, uniquely identify a session. Since the 115 number space of TCP/UDP ports and ICMP identifiers in CGN's external 116 realm is shared among multiple users assigned with the same IPv4 117 address, the total number of a user's simultaneous IP sessions is 118 likely to subject to port quota. 120 The attributes defined in this document may also be used to report 121 the assigned port set in some deployment such as Provider Wi-Fi 122 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 123 host can be managed by a CPE which will need to report the assigned 124 port set to the service platform. This is required for 125 identification purposes (see WT-146 for example). 127 This document proposes three new RADIUS attributes as RADIUS 128 protocol's extensions, and they are used for separate purposes as 129 follows: 131 o A session limit is configured on a RADIUS server based on service 132 agreement with a subscriber, and this parameter imposes the limit 133 of total number of TCP/UDP ports and/or ICMP identifiers that the 134 subscriber can use. Alternately, a separate session limit may be 135 configured to limit the number of TCP ports, UDP ports, or the sum 136 of the two, and ICMP identifiers, respectively, that the user can 137 use. The session limit is carried by a new RADIUS attribute Port- 138 Session-Limit, which is included in a RADIUS Access-Accept message 139 sent by the RADIUS server to port-based device. This new RADIUS 140 attribute can also be included in a RADIUS CoA message sent by the 141 RADIUS server to the port-based device in order to change the 142 session limit previously configured. 144 o A port-based device may allocate or de-allocate a set of TCP/UDP 145 ports or ICMP identifiers for a specific subscriber. When it does 146 so, the associated session range along with the shared IPv4 147 address can be conveyed to the RADIUS server as part of the 148 accounting process. These parameters are carried by a new RADIUS 149 attribute Port-Session-Range, which is included in a RADIUS 150 Accounting- Request message sent by the port-based device to the 151 RADIUS server. 153 o A user may require the port-based device to perform port 154 forwarding function, i.e., a port mapping is pre-configured on the 155 port-based so that inbound IP packets sent by some applications 156 from the port-based external realm can pass through that device 157 and reach the user. The port mapping information includes the 158 port-based device internal port, external port, and may also 159 include the associated internal IPv4 or IPv6 address, and is 160 carried by a new RADIUS attribute Port- Forwarding-Map, which is 161 included in a RADIUS Access-Accept message sent by the RADIUS 162 server to the port-based device. This new RADIUS attribute can 163 also be included in a RADIUS CoA message sent by the RADIUS server 164 to the port-based device in order to change the forwarding port 165 mapping previously configured. 167 2. Terminology 169 Some terms that are used in this document are listed as follows: 171 o Session Limit - This is the maximum number of TCP ports, or UDP 172 ports, or the total of the two, or ICMP identifiers, or the total 173 of the three, that a device supporting port ranges can use when 174 performing mapping on TCP/ UDP ports or ICMP identifiers for a 175 specific user. 177 o Session Range - This specifies a set of TCP/UDP port numbers or 178 ICMP identifiers, indicated by the port/identifier with the 179 smallest numerical number and the port/identifier with the largest 180 numerical number, inclusively. 182 o Internal IP Address - The IP address that is used as a source IP 183 address in an outbound IP packet sent toward a device supporting 184 port ranges in the internal realm. In IPv4 case, it is typically 185 a private address [RFC1918]. 187 o External IP Address - The IP address that is used as a source IP 188 address in an outbound IP packet after traversing a device 189 supporting port ranges in the external realm. In IPv4 case, it is 190 typically a global and routable IP address. 192 o Internal Port - The internal port is a UDP or TCP port, or an ICMP 193 identifier, which is allocated by a host or application behind a 194 device supporting port ranges for an outbound IP packet in the 195 internal realm. 197 o External Port - The external port is a UDP or TCP port, or an ICMP 198 identifier, which is allocated by a device supporting port ranges 199 upon receiving an outbound IP packet in the internal realm, and is 200 used to replace the internal port that is allocated by a user or 201 application. 203 o External realm - The networking segment where IPv4 public 204 addresses are used in respective of the device supporting port 205 ranges. 207 o Internal realm - The networking segment that is behind a device 208 supporting port ranges and where IPv4 private addresses are used. 210 o Mapping - This term in this document associates with a device 211 supporting port ranges for a relationship between an internal IP 212 address, internal port and the protocol, and an external IP 213 address, external port, and the protocol. 215 o Port-based device - A device that is capable of providing IP 216 address and TCP/UDP port mapping services and in particular, with 217 the granularity of one or more subsets within the 16-bit TCP/UDP 218 port number range. A typical example of this device can be a CGN, 219 CPE, Provider Wi-Fi Gateway, etc. 221 Note the terms "internal IP address", "internal port", "internal 222 realm", "external IP address", "external port", "external realm", and 223 "mapping" and their semantics are the same as in [RFC6887], and 224 [RFC6888]. 226 3. RADIUS Attributes 228 [Discussion: should these attributes be allocated from the 229 extended RADIUS attribute code space?] 231 [Discussion: Should we define a dedicated attribute 232 (port_set_policies) to configure the following policies: (1) 233 enforce port randomization, (2) include/exclude the WKP in the 234 port assignment, (3) preserve parity, (4) quota for explicit port 235 mapping, (5) DSCP marking policy, (6) Port hold down timer, (7) 236 port hold down pool, etc. Perhaps we don't need to cover all 237 these parameters.] 239 3.1. Port-Session-Limit Attribute 240 This attribute is of type complex [RFC6158] and specifies the limit 241 of TCP ports, or UDP ports, or the sum of the two, or ICMP 242 identifiers, or the sum of the three, which is configured on a device 243 supporting port ranges corresponding to a specific subscriber. 245 The Port-Session-Limit MAY appear in an Access-Accept packet, it MAY 246 also appear in an Access-Request packet as a hint by the device 247 supporting port ranges, which is co-allocated with the NAS, to the 248 RADIUS server as a preference, although the server is not required to 249 honor such a hint. 251 The Port-Session-Limit MAY appear in an CoA-Request packet. 253 The Port-Session-Limit MAY appear in an Accounting-Request packet. 255 The Port-Session-Limit MUST NOT appear in any other RADIUS packets. 257 The format of the Port-Session-Limit RADIUS attribute format is shown 258 below. The fields are transmitted from left to right. 260 0 1 2 3 261 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 | Type | Length | ST | Session 264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 265 Limit | 266 +-+-+-+-+-+-+-+-+ 268 Type: 270 TBA1 for Port-Session-Limit. 272 Length: 274 5 octets. This field indicates the total length in octets of this 275 attribute including the Type and the Length field. 277 ST (Session Type): 279 This one octet field contains an enumerated value that indicates 280 the applicability of the Session Limit as follows: 282 0: 284 The limit as specified is applied to each transport protocol 285 (TCP/UDP) and ICMP Identifiers as a whole. 287 1: 289 The limit as specified is applied to TCP and UDP ports. 291 2: 293 The limit as specified is applied to TCP ports. 295 3: 297 The limit as specified is applied to UDP ports. 299 4: 301 The limit as specified is applied to ICMP Identifiers. 303 5-255: 305 These values are undefined. 307 Session Limit: 309 This field contains the maximum number that is assigned to the 310 transport sessions depending on the value in the Session Type (ST) 311 field, that the specific user can use. 313 3.2. Port-Session-Range Attribute 315 This attribute is of type complex [RFC6158] and contains a range of 316 numbers for TCP ports or UDP ports, or both, or for ICMP Identifiers, 317 which has been allocated or de-allocated by a device supporting port 318 ranges for a given subscriber, along with an external IPv4 address 319 that is associated with any TCP/UDP port or ICMP identifier in the 320 range. 322 In some CGN deployment scenarios as described such as L2NAT 323 [I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight 324 4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise 325 such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 326 prefix, VRF ID, etc., may also be required to pass to the RADIUS 327 server as part of the accounting record. 329 The Port-Session-Range MAY appear in an Accounting-Request packet. 331 The Port-Session-Range MUST NOT appear in any other RADIUS packets. 333 The port range follows the encoding specified in [RFC6431]; as such 334 both contiguous and non-contiguous port sets are supported. 336 The format of the Port-Session-Range RADIUS attribute format is shown 337 below. The fields are transmitted from left to right. 339 0 1 2 3 340 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 342 | Type | Length | ST |A| Reserved | 343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 344 | Port Range Mask | Port Range Value | 345 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 346 | External IPv4 Address | 347 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 348 | Local Session ID .... 349 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-- 351 Type: 353 TBA2 for Port-Session-Range. 355 Length: 357 12 octets plus the length of optional field Local Session ID. 358 This field indicates the total length in octets of this attribute 359 including the Type and the Length field. 361 ST (Session Type): 363 This one octet field contains an enumerated value that indicates 364 the semantics of the session range. The values follow the Session 365 Type encoding defined in Section 3.1 except that the following 366 values are not valid in scope of this attribute: 368 0: 370 The limit as specified is applied to the sum of TCP ports, UDP 371 ports, and ICMP Identifiers as a whole. 373 A-bit Flag: 375 This field is set to 0 or 1, indicates that the session range has 376 been allocated or de-allocated, respectively, by the device 377 supporting port ranges. 379 Reserved: 381 This field MUST be set to zero by the sender and ignored by the 382 receiver. 384 Port Range Mask: 386 The Port Range Mask indicates the position of the bits that are 387 used to build the Port Range Value. By default, no PRM value is 388 assigned. The 1 values in the Port Range Mask indicate by their 389 position the significant bits of the Port Range Value. Refer to 390 [RFC6431] for more details. 392 Port Range Value: 394 The PRV indicates the value of the significant bits of the Port 395 Mask. By default, no PRV is assigned. Refer to [RFC6431] for 396 more details. 398 External IPv4 Address: 400 This is an optional field. If present, this field contains the 401 IPv4 address assigned to the associated subscriber to be used in 402 the external realm. If set to 0/0, the allocation address policy 403 is local to the device supporting port ranges. 405 Local Session ID: 407 This is an optional field and if presents, it contains a local 408 session identifier at the customer premise, such as MAC address, 409 interface ID, VLAN ID, PPP sessions ID, VRF ID, IPv6 address/ 410 prefix, etc. The length of this field equals to the total 411 attribute length minus 12 octets. If this field is not present, 412 the port range policies must be enforced to all subscribers using 413 a local subscriber identifier. 415 3.3. Port-Forwarding-Map Attribute 417 This attribute is type of complex [RFC6158] and contains a 16-bit 418 Internal Port that identifies the source TCP/UDP port number of an IP 419 packet sent by the user, or the destination port number of an IP 420 packet destined to the user, and in both cases, the IP packet travels 421 behind the NAT device. Also they contain a 16-bit Configured 422 External Port that identifies the source TCP/UDP port number of an IP 423 packet sent by the user, or the destination port number of an IP 424 packet destined to the user, and in both cases, the IP packet travels 425 outside of the NAT device. In addition, the attribute may contain a 426 32-bit IPv4 address or a 128-bit IPv6 address, respectively, as their 427 respective NAT mappings internal IP address. Together, the port pair 428 and IP address determine the port mapping rule for a specific IP flow 429 that traverses a NAT device. 431 The attribute MAY appear in an Access-Accept packet, and may also 432 appear in an Accounting-Request packet. In either case, the 433 attribute MUST NOT appear more than once in a single packet. 435 The attribute MUST NOT appear in any other RADIUS packets. 437 The format of the Port-Forwarding-Map RADIUS attribute format is 438 shown below. The fields are transmitted from left to right. 440 0 1 2 3 441 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 442 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 443 | Type | Length | AF | Reserved | 444 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 | Internal Port | Configured External Port | 446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 447 | Internal IP Address ..... 448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 450 Type: 452 TBA3 for Port-Forwarding-Map. 454 Length: 456 This field indicates the total length in octets of this attribute 457 including the Type and the Length field. Depending on the value 458 of the AF field, the length could be 8, 12 or 24 octets. 460 AF (Address Family): 462 This one octet field contains a value that indicates address 463 family of the internal IP address at the mapping as follows: 465 0: 467 There is no internal address attached. 469 1: 471 The internal address is an IPv4 address. 473 2: 475 The internal address is an IPv6 address. 477 3-255: 479 Unused. 481 [Discussion: should we use IANA assigned protocol numbers here?] 483 Reserved: 485 This field is set to zero by the sender and ignored by the 486 receiver. 488 Internal Port: 490 This field contains the internal port for the CGN mapping. 492 Configured External Port: 494 This field contains the external port for the CGN mapping. 496 Internal IP Address: 498 This field may or may not present, and when it does, contains the 499 internal IPv4 or IPv6 address for the CGN mapping. 501 4. Applications, Use Cases and Examples 503 This section describes some applications and use cases to illustrate 504 the use of the RADIUS port set attributes. 506 4.1. Managing CGN Port Behavior using RADIUS 508 In a broadband network, customer information is usually stored on a 509 RADIUS server, and the BNG hosts the NAS. The communication between 510 the NAS and the RADIUS server is triggered by a subscriber when the 511 user signs in to the Internet service, where either PPP or DHCP/ 512 DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access- 513 Request message to the RADIUS server. The RADIUS server validates 514 the request, and if the validation succeeds, it in turn sends back a 515 RADIUS Access-Accept message. The Access-Accept message carries 516 configuration information specific to that user, back to the NAS, 517 where some of the information would pass on to the requesting user 518 via PPP or DHCP/DHCPv6. 520 A CGN function in a broadband network would most likely reside on a 521 BNG. In that case, parameters for CGN port/identifier mapping 522 behavior for users can be configured on the RADIUS server. When a 523 user signs in to the Internet service, the associated parameters can 524 be conveyed to the NAS, and proper configuration is accomplished on 525 the CGN device for that user. 527 Also, CGN operation status such as CGN port/identifier allocation and 528 de-allocation for a specific user on the BNG can also be transmitted 529 back to the RADIUS server for accounting purpose using the RADIUS 530 protocol. 532 RADIUS protocol has already been widely deployed in broadband 533 networks to manage BNG, thus the functionality described in this 534 specification introduces little overhead to the existing network 535 operation. 537 In the following sub-sections, we describe how to manage CGN behavior 538 using RADIUS protocol, with required RADIUS extensions proposed in 539 Section 3. 541 4.1.1. Configure CGN Session Limit 543 In the face of IPv4 address shortage, there are currently proposals 544 to multiplex multiple subscribers' connections over a smaller number 545 of shared IPv4 addresses, such as Carrier Grade NAT [RFC6888], Dual- 546 Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single 547 IPv4 public address may be shared by hundreds or even thousands of 548 subscribers. As indicated in [RFC6269], it is therefore necessary to 549 impose limits on the total number of ports available to an individual 550 subscriber to ensure that the shared resource, i.e., the IPv4 address 551 remains available in some capacity to all the subscribers using it, 552 and port limiting is also documented in [RFC6888] as a requirement. 554 There are two practical granularities to impose such a limit. One is 555 to define a session limit that is imposed to the total number of TCP 556 and UDP ports, plus the number of ICMP identifiers, for a specific 557 subscriber. Alternatively, a session limit can be specified for the 558 sum of TCP ports and UDP ports, or a separate session limit for TCP 559 ports and UDP ports, respectively, and another session limit for ICMP 560 identifiers. 562 The per-subscriber based session limit(s) is configured on a RADIUS 563 server, along with other user information such as credentials. The 564 value of these session limit(s) is based on service agreement and its 565 specification is out of the scope of this document. 567 When a subscriber signs in to the Internet service successfully, the 568 session limit(s) for the subscriber is passed to the BNG based NAS, 569 where CGN also locates, using a new RADIUS attribute called Port- 570 Session-Limit (defined in Section 3.1), along with other 571 configuration parameters. While some parameters are passed to the 572 subscriber, the session limit(s) is recorded on the CGN device for 573 imposing the usage of TCP/UDP ports and ICMP identifiers for that 574 subscriber. 576 Figure 1 illustrates how RADIUS protocol is used to configure the 577 maximum number of TCP/UDP ports for a given subscriber on a NAT44 578 device. 580 User NAT44/NAS AAA 581 | BNG Server 582 | | | 583 | | | 584 |----Service Request------>| | 585 | | | 586 | |-----Access-Request -------->| 587 | | | 588 | |<----Access-Accept-----------| 589 | | (Port-Session-Limit) | 590 | | (for TCP/UDP ports) | 591 |<---Service Granted ------| | 592 | (other parameters) | | 593 | | | 594 | (NAT44 external port | 595 | allocation and | 596 | IPv4 address assignment) | 597 | | | 599 Figure 1: RADIUS Message Flow for Configuring NAT44 Port Limit 601 The session limit(s) created on a CGN device for a specific user 602 using RADIUS extension may be changed using RADIUS CoA message 603 [RFC5176] that carries the same RADIUS attribute. The CoA message 604 may be sent from the RADIUS server directly to the NAS, which once 605 accepts and sends back a RADIUS CoA ACK message, the new session 606 limit replaces the previous one. 608 Figure 2 illustrates how RADIUS protocol is used to increase the TCP/ 609 UDP port limit from 1024 to 2048 on a NAT44 device for a specific 610 user. 612 User NAT/NAS AAA 613 | BNG Server 614 | | | 615 | TCP/UDP Port Limit (1024) | 616 | | | 617 | |<---------CoA Request----------| 618 | | (Port-Session-Limit) | 619 | | (for TCP/UDP ports) | 620 | | | 621 | TCP/UDP Port Limit (2048) | 622 | | | 623 | |---------CoA Response--------->| 624 | | | 626 Figure 2: RADIUS Message Flow for changing a user's NAT44 port limit 628 4.1.2. Report CGN Session Allocation or De-allocation 630 Upon obtaining the session limit(s) for a subscriber, the CGN device 631 needs to allocate a TCP/UDP port or an ICMP identifiers for the 632 subscriber when receiving a new IP flow sent from that subscriber. 634 As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP 635 identifiers once at a time for a specific user, instead of one port/ 636 identifier at a time, and within each session bulk, the ports/ 637 identifiers may be randomly distributed or in consecutive fashion. 638 When a CGN device allocates bulk of TCP/UDP ports and ICMP 639 identifiers, the information can be easily conveyed to the RADIUS 640 server by a new RADIUS attribute called the CGN-Session-Range 641 (defined in Section 3.2). The CGN device may allocate one or more 642 TCP/UDP port ranges or ICMP identifier ranges, or generally called 643 session ranges, where each range contains a set of numbers 644 representing TCP/UDP ports or ICMP identifiers, and the total number 645 of sessions must be less or equal to the associated session limit 646 defined for that subscriber. A CGN device may choose to allocate a 647 small session range, and allocate more at a later time as needed; 648 such practice is good because its randomization in nature. 650 At the same time, the CGN device also needs to decide the shared IPv4 651 address for that subscriber. The shared IPv4 address and the pre- 652 allocated session range are both passed to the RADIUS server. 654 When a subscriber initiates an IP flow, the CGN device randomly 655 selects a TCP/UDP port or ICMP identifier from the associated and 656 pre-allocated session range for that subscriber to replace the 657 original source TCP/UDP port or ICMP identifier, along with the 658 replacement of the source IP address by the shared IPv4 address. 660 A CGN device may decide to "free" a previously assigned set of TCP/ 661 UDP ports or ICMP identifiers that have been allocated for a specific 662 subscriber but not currently in use, and with that, the CGN device 663 must send the information of the de-allocated session range along 664 with the shared IPv4 address to the RADIUS server. 666 Figure 3 illustrates how RADIUS protocol is used to report a set of 667 ports allocated and de-allocated, respectively, by a NAT44 device for 668 a specific user to the RADIUS server. 670 Host NAT44/NAS AAA 671 | BNG Server 672 | | | 673 | | | 674 |----Service Request------>| | 675 | | | 676 | |-----Access-Request -------->| 677 | | | 678 | |<----Access-Accept-----------| 679 |<---Service Granted ------| | 680 | (other parameters) | | 681 ... ... ... 682 | | | 683 | | | 684 | (NAT44 decides to allocate | 685 | a TCP/UDP port range for the user) | 686 | | | 687 | |-----Accounting-Request----->| 688 | | (Port-Session-Range | 689 | | for allocation) | 690 ... ... ... 691 | | | 692 | (NAT44 decides to de-allocate | 693 | a TCP/UDP port range for the user) | 694 | | | 695 | |-----Accounting-Request----->| 696 | | (Port-Session-Range | 697 | | for de-allocation) | 698 | | | 700 Figure 3: RADIUS Message Flow for reporting NAT44 allocation/de- 701 allocation of a port set 703 4.1.3. Configure CGN Forwarding Port Mapping 705 In most scenarios, the port mapping on a NAT device is dynamically 706 created when the IP packets of an IP connection initiated by a user 707 arrives. For some applications, the port mapping needs to be pre- 708 defined allowing IP packets of applications from outside a CGN device 709 to pass through and "port forwarded" to the correct user located 710 behind the CGN device. 712 Port Control Protocol [RFC6887], provides a mechanism to create a 713 mapping from an external IP address and port to an internal IP 714 address and port on a CGN device just to achieve the "port 715 forwarding" purpose. PCP is a server-client protocol capable of 716 creating or deleting a mapping along with a rich set of features on a 717 CGN device in dynamic fashion. In some deployment, all users need is 718 a few, typically just one pre-configured port mapping for 719 applications such as web cam at home, and the lifetime of such a port 720 mapping remains valid throughout the duration of the customer's 721 Internet service connection time. In such an environment, it is 722 possible to statically configure a port mapping on the RADIUS server 723 for a user and let the RADIUS protocol to propagate the information 724 to the associated CGN device. 726 Figure 4 illustrates how RADIUS protocol is used to configure a 727 forwarding port mapping on a NAT44 device by using RADIUS protocol. 729 Host NAT/NAS AAA 730 | BNG Server 731 | | | 732 |----Service Request------>| | 733 | | | 734 | |---------Access-Request------->| 735 | | | 736 | |<--------Access-Accept---------| 737 | | (Port-Forwarding-Map) | 738 |<---Service Granted ------| | 739 | (other parameters) | | 740 | | | 741 | (Create a port mapping | 742 | for the user, and | 743 | associate it with the | 744 | internal IP address | 745 | and external IP address) | 746 | | | 747 | | | 748 | |------Accounting-Request------>| 749 | | (Port-Forwarding-Map) | 751 Figure 4: RADIUS Message Flow for configuring a forwarding port 752 mapping 754 A port forwarding mapping that is created on a CGN device using 755 RADIUS extension as described above may also be changed using RADIUS 756 CoA message [RFC5176] that carries the same RADIUS associate. The 757 CoA message may be sent from the RADIUS server directly to the NAS, 758 which once accepts and sends back a RADIUS CoA ACK message, the new 759 port forwarding mapping then replaces the previous one. 761 Figure 5 illustrates how RADIUS protocol is used to change an 762 existing port mapping from (a:X) to (a:Y), where "a" is an internal 763 port, and "X" and "Y" are external ports, respectively, for a 764 specific user with a specific IP address 765 Host NAT/NAS AAA 766 | BNG Server 767 | | | 768 | Internal IP Address | 769 | Port Map (a:X) | 770 | | | 771 | |<---------CoA Request----------| 772 | | (Port-Forwarding-Map) | 773 | | | 774 | Internal IP Address | 775 | Port Map (a:Y) | 776 | | | 777 | |---------CoA Response--------->| 778 | | (Port-Forwarding-Map) | 780 Figure 5: RADIUS Message Flow for changing a user's forwarding port 781 mapping 783 4.1.4. An Example 785 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 786 subscriber Joe. This number is the limit that can be used for TCP/UDP 787 ports on a NAT44 device for Joe, and is configured on a RADIUS 788 server. Also, Joe asks for a pre-defined port forwarding mapping on 789 the NAT44 device for his web cam applications (external port 5000 790 maps to internal port 80). 792 When Joe successfully connects to the Internet service, the RADIUS 793 server conveys the TCP/UDP port limit (1000) and the forwarding port 794 mapping (external port 5000 to internal port 80) to the NAT44 device, 795 using Port-Session-Limit attribute and Port-Forwarding-Map attribute, 796 respectively, carried by an Access-Accept message to the BNG where 797 NAS and CGN co-located. 799 Upon receiving the first outbound IP packet sent from Joe's laptop, 800 the NAT44 device decides to allocate a small port pool that contains 801 40 consecutive ports, from 3500 to 3540, inclusively, and also assign 802 a shared IPv4 address 192.0.2.15, for Joe. The NAT44 device also 803 randomly selects one port from the allocated range (say 3519) and use 804 that port to replace the original source port in outbound IP packets. 806 For accounting purpose, the NAT44 device passes this port range 807 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 808 RADIUS server using Port-Session-Range attribute carried by an 809 Accounting-Request message. 811 When Joe works on more applications with more outbound IP sessions 812 and the port pool (3500-3540) is close to exhaust, the NAT44 device 813 allocates a second port pool (8500-8800) in a similar fashion, and 814 also passes the new port range (8500-8800) and IPv4 address 815 192.0.2.15 together to the RADIUS server using Port-Session-Range 816 attribute carried by an Accounting-Request message. Note when the 817 CGN allocates more ports, it needs to assure that the total number of 818 ports allocated for Joe is within the limit. 820 Joe decides to upgrade his service agreement with more TCP/UDP ports 821 allowed (up to 1000 ports). The ISP updates the information in Joe's 822 profile on the RADIUS server, which then sends a CoA-Request message 823 that carries the Port-Session-Limit attribute with 1000 ports to the 824 NAT44 device; the NAT44 device in turn sends back a CoA-ACK message. 825 With that, Joe enjoys more available TCP/UDP ports for his 826 applications. 828 When Joe travels, most of the IP sessions are closed with their 829 associated TCP/UDP ports released on the NAT44 device, which then 830 sends the relevant information back to the RADIUS server using Port- 831 Session-Range attribute carried by Accounting-Request message. 833 Throughout Joe's connection with his ISP Internet service, 834 applications can communicate with his web cam at home from external 835 realm directly traversing the pre-configured mapping on the CGN 836 device. 838 When Joe disconnects from his Internet service, the CGN device will 839 de-allocate all TCP/UDP ports as well as the port-forwarding mapping, 840 and send the relevant information to the RADIUS server. 842 4.2. Report Assigned Port Set for a Visiting UE 844 Figure 6 illustrates an example of the flow exchange which occurs 845 when a visiting UE connects to a CPE offering Wi-Fi service. 847 For identification purposes (see [RFC6967]), once the CPE assigns a 848 port set, it issues a RADIUS message to report the assigned port set. 850 UE CPE NAS AAA 851 | BNG Server 852 | | | 853 | | | 854 |----Service Request------>| | 855 | | | 856 | |-----Access-Request -------->| 857 | | | 858 | |<----Access-Accept-----------| 859 |<---Service Granted ------| | 860 | (other parameters) | | 861 ... | ... ... 862 |<---IP@----| | | 863 | | | | 864 | (CPE assigns a TCP/UDP port | 865 | range for this visiting UE) | 866 | | | 867 | |--Accounting-Request-...------------------->| 868 | | (Port-Session-Range | 869 | | for allocation) | 870 ... | ... ... 871 | | | | 872 | | | | 873 | (CPE withdraws a TCP/UDP port | 874 | range for a visiting UE) | 875 | | | 876 | |--Accounting-Request-...------------------->| 877 | | (Port-Session-Range | 878 | | for de-allocation) | 879 | | | 881 Figure 6: RADIUS Message Flow for reporting CPE allocation/de- 882 allocation of a port set to a visiting UE 884 5. Table of Attributes 886 The following table provides a guide as the attributes may be found 887 in which kinds of RADIUS packets, and in what quantity. 889 Request Accept Reject Challenge Acct. # Attribute 890 Request 891 0-1 0-1 0 0 0-1 TBA1 Port-Session-Limit 892 0 0 0 0 0-1 TBA2 Port-Session-Range 893 0-1 0-1 0 0 0-1 TBA3 Port-Forwarding-Map 895 The following table defines the meaning of the above table entries. 897 0 This attribute MUST NOT be present in packet. 898 0+ Zero or more instances of this attribute MAY be present in 899 packet. 900 0-1 Zero or one instance of this attribute MAY be present in packet. 902 6. Security Considerations 904 This document does not introduce any security issue than what has 905 been identified in [RFC2865]. 907 7. IANA Considerations 909 7.1. RADIUS Attributes 911 This document requires new code point assignment for the three new 912 RADIUS attributes as follows: 914 o Port-Session-Limit 916 o Port-Session-Range 918 o Port-Forwarding-Map 920 7.2. Name Spaces 922 This document establishes a new name space for Session Type (see 923 Section 3.1 for the initial reservation of values. The allocation of 924 future values is according to RFC Required policy [RFC5226]. 926 8. Acknowledgements 928 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, and David 929 Thaler for their useful comments and suggestions. 931 9. References 933 9.1. Normative References 935 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 936 E. Lear, "Address Allocation for Private Internets", BCP 937 5, RFC 1918, February 1996. 939 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 940 Requirement Levels", BCP 14, RFC 2119, March 1997. 942 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 943 "Remote Authentication Dial In User Service (RADIUS)", RFC 944 2865, June 2000. 946 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 947 Aboba, "Dynamic Authorization Extensions to Remote 948 Authentication Dial In User Service (RADIUS)", RFC 5176, 949 January 2008. 951 9.2. Informative References 953 [I-D.gundavelli-v6ops-community-wifi-svcs] 954 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 955 "Service Provider Wi-Fi Services Over Residential 956 Architectures", draft-gundavelli-v6ops-community-wifi- 957 svcs-06 (work in progress), April 2013. 959 [I-D.ietf-softwire-lw4over6] 960 Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and 961 I. Farrer, "Lightweight 4over6: An Extension to the DS- 962 Lite Architecture", draft-ietf-softwire-lw4over6-03 (work 963 in progress), November 2013. 965 [I-D.miles-behave-l2nat] 966 Miles, D. and M. Townsley, "Layer2-Aware NAT", draft- 967 miles-behave-l2nat-00 (work in progress), March 2009. 969 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 970 Address Translator (Traditional NAT)", RFC 3022, January 971 2001. 973 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 974 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 975 May 2008. 977 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 978 NAT64: Network Address and Protocol Translation from IPv6 979 Clients to IPv4 Servers", RFC 6146, April 2011. 981 [RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 982 158, RFC 6158, March 2011. 984 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 985 Roberts, "Issues with IP Address Sharing", RFC 6269, June 986 2011. 988 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 989 Stack Lite Broadband Deployments Following IPv4 990 Exhaustion", RFC 6333, August 2011. 992 [RFC6431] Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and 993 T. Tsou, "Huawei Port Range Configuration Options for PPP 994 IP Control Protocol (IPCP)", RFC 6431, November 2011. 996 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 997 Operation of Address Translators with Per-Interface 998 Bindings", RFC 6619, June 2012. 1000 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 1001 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 1002 2013. 1004 [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., 1005 and H. Ashida, "Common Requirements for Carrier-Grade NATs 1006 (CGNs)", BCP 127, RFC 6888, April 2013. 1008 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1009 "Analysis of Potential Solutions for Revealing a Host 1010 Identifier (HOST_ID) in Shared Address Deployments", RFC 1011 6967, June 2013. 1013 Authors' Addresses 1015 Dean Cheng 1016 Huawei Technologies 1017 2330 Central Expressway 1018 Santa Clara, California 95050 1019 USA 1021 Email: dean.cheng@huawei.com 1023 Jouni Korhonen 1024 Broadcom 1025 Porkkalankatu 24 1026 FIN-00180 Helsinki 1027 Finland 1029 Email: jouni.nospam@gmail.com 1031 Mohamed Boucadair 1032 France Telecom 1033 Rennes 1034 France 1036 Email: mohamed.boucadair@orange.com 1037 Senthil Sivakumar 1038 Cisco Systems 1039 7100-8 Kit Creek Road 1040 Research Triangle Park, North Carolina 1041 USA 1043 Email: ssenthil@cisco.com