idnits 2.17.1 draft-cheng-radext-ip-port-radius-ext-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 19, 2014) is 3660 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2629 (Obsoleted by RFC 7749) ** Downref: Normative reference to an Informational RFC: RFC 5176 == Outdated reference: A later version (-13) exists of draft-ietf-softwire-lw4over6-08 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: October 21, 2014 Broadcom 6 M. Boucadair 7 France Telecom 8 S. Sivakumar 9 Cisco Systems 10 April 19, 2014 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-cheng-radext-ip-port-radius-ext-00 15 Abstract 17 This document defines three new RADIUS attributes. For device that 18 implementing IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report TCP/UDP ports 20 and ICMP identifiers, as well as mapping behavior for specific hosts. 21 This mechanism can be used in various deployment scenarios such as 22 CGN, NAT64, Provider WiFi Gateway, etc. 24 This document does not make any assumption about the deployment 25 context. 27 Requirements Language 29 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 30 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 31 document are to be interpreted as described in RFC 2119 [RFC2119]. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on October 21, 2014. 50 Copyright Notice 52 Copyright (c) 2014 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3. RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . 5 70 3.1. Extended-Type for IP-Port-Type . . . . . . . . . . . . . 5 71 3.2. IP-Port-Limit Attribute . . . . . . . . . . . . . . . . . 7 72 3.3. IP-Port-Range Attribute . . . . . . . . . . . . . . . . . 8 73 3.4. IP-Port-Forwarding-Map Attribute . . . . . . . . . . . . 10 74 4. Applications, Use Cases and Examples . . . . . . . . . . . . 12 75 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 12 76 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 13 77 4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 15 78 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 16 79 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 18 80 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 19 81 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 20 82 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 83 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 84 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 85 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 86 9.1. Normative References . . . . . . . . . . . . . . . . . . 22 87 9.2. Informative References . . . . . . . . . . . . . . . . . 22 88 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 90 1. Introduction 92 In a broadband network, customer information is usually stored on a 93 RADIUS server [RFC2865] and at the time when a user initiates an IP 94 connection request, the RADIUS server will populate the user's 95 configuration information to the Network Access Server (NAS), which 96 is usually co-located with the Border Network Gateway (BNG), after 97 the connection request is granted. The Carrier Grade NAT (CGN) 98 function may also be implemented on the BNG, and therefore CGN TCP/ 99 UDP port (or ICMP identifier) mapping behavior can be configured on 100 the RADIUS server as part of the user profile, and populated to the 101 NAS in the same manner. In addition, during the operation, the CGN 102 can also convey port/identifier mapping behavior specific to a user 103 to the RADIUS server, as part of the normal RADIUS accounting 104 process. 106 The CGN device that communicates with a RADIUS server using RADIUS 107 extensions defined in this document may perform NAT44 [RFC3022], 108 NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function. 110 For the CGN example, when IP packets traverse a CGN, it would perform 111 TCP/UDP source port mapping or ICMP identifier mapping as required. 112 A TCP/ UDP source port or ICMP identifier, along with source IP 113 address, destination IP address, destination port and protocol 114 identifier if applicable, uniquely identify a session. Since the 115 number space of TCP/UDP ports and ICMP identifiers in CGN's external 116 realm is shared among multiple users assigned with the same IPv4 117 address, the total number of a user's simultaneous IP sessions is 118 likely to subject to port quota. 120 The attributes defined in this document may also be used to report 121 the assigned port set in some deployment such as Provider Wi-Fi 122 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 123 host can be managed by a CPE which will need to report the assigned 124 port set to the service platform. This is required for 125 identification purposes (see WT-146 for example). 127 This document proposes three new attributes as RADIUS protocol's 128 extensions, and they are used for separate purposes as follows: 130 o IP-Port-Limit:This attribute may be carried in RDIUS Acces-Accept, 131 Accounting-Request or CoA-Request packet. The purpose of this 132 attribute is to limit the total number of TCP/UDP ports and/or 133 ICMP identifiers that an IP subscriber can use.. 135 o IP-Port-Range:This attribute may be carried in RADIUS Access- 136 Accept, Accounting-Request or CoA-Request packet. The purpose of 137 this attribute is to specify the range of TCP/UDP ports and/or 138 ICMP identifiers that an IP subscriber can use associated with an 139 IPv4 address. 141 o IP-Port-Forwarding-Map:This attribute may be carried in RADIUS 142 Access-Accept, Accounting-Request or CoA-Request packet. The 143 purpose of this this attribute is to specify how a TCP/UDP port 144 (or an ICMP identifier) mapping to another TCP/UDP port (or an 145 ICMP identifier). 147 This document was constructed using the [RFC2629] . 149 2. Terminology 151 Some terms that are used in this document are listed as follows: 153 o IP Port - This term refers to IP transport protocol port, 154 including TCP port, UDP port and ICMP identifier. 156 o IP Port Limit - This is the maximum number of TCP ports, or UDP 157 ports, or the total of the two, or ICMP identifiers, or the total 158 of the three, that a device supporting port ranges can use when 159 performing mapping on TCP/ UDP ports or ICMP identifiers for a 160 specific user. 162 o IP Port Range - This specifies a set of TCP/UDP port numbers or 163 ICMP identifiers, indicated by the port/identifier with the 164 smallest numerical number and the port/identifier with the largest 165 numerical number, inclusively. 167 o Internal IP Address - The IP address that is used as a source IP 168 address in an outbound IP packet sent toward a device supporting 169 port ranges in the internal realm. In IPv4 case, it is typically 170 a private address [RFC1918]. 172 o External IP Address - The IP address that is used as a source IP 173 address in an outbound IP packet after traversing a device 174 supporting port ranges in the external realm. In IPv4 case, it is 175 typically a global and routable IP address. 177 o Internal Port - The internal port is a UDP or TCP port, or an ICMP 178 identifier, which is allocated by a host or application behind a 179 device supporting port ranges for an outbound IP packet in the 180 internal realm. 182 o External Port - The external port is a UDP or TCP port, or an ICMP 183 identifier, which is allocated by a device supporting port ranges 184 upon receiving an outbound IP packet in the internal realm, and is 185 used to replace the internal port that is allocated by a user or 186 application. 188 o External realm - The networking segment where IPv4 public 189 addresses are used in respective of the device supporting port 190 ranges. 192 o Internal realm - The networking segment that is behind a device 193 supporting port ranges and where IPv4 private addresses are used. 195 o Mapping - This term in this document associates with a device 196 supporting port ranges for a relationship between an internal IP 197 address, internal port and the protocol, and an external IP 198 address, external port, and the protocol. 200 o Port-based device - A device that is capable of providing IP 201 address and TCP/UDP port mapping services and in particular, with 202 the granularity of one or more subsets within the 16-bit TCP/UDP 203 port number range. A typical example of this device can be a CGN, 204 CPE, Provider Wi-Fi Gateway, etc. 206 Note the terms "internal IP address", "internal port", "internal 207 realm", "external IP address", "external port", "external realm", and 208 "mapping" and their semantics are the same as in [RFC6887], and 209 [RFC6888]. 211 3. RADIUS Attributes 213 [Discussion: Should we define a dedicated attribute 214 (port_set_policies) to configure the following policies: (1) 215 enforce port randomization, (2) include/exclude the WKP in the 216 port assignment, (3) preserve parity, (4) quota for explicit port 217 mapping, (5) DSCP marking policy, (6) Port hold down timer, (7) 218 port hold down pool, etc. Perhaps we don't need to cover all 219 these parameters. - The discussion should be in a separate draft 220 allowing this draft dedicated to RADIUS extension only.] 222 In this section, we define the details of the following three new 223 attributes: 225 o IP-Port-Limit Attribute 227 o IP-Port-Range Attribute 229 o IP-Port-Forwarding-Map Attribute 231 All these attributes are allocated from the RADIUS "Extended Type" 232 code space per [RFC6929]. 234 3.1. Extended-Type for IP-Port-Type 236 This section defines a new Extended-Type for IP port type. The IP 237 port type may be one of the following: 239 o Refer to TCP port, UDP port, and ICMP identifier 241 o Refer to TCP port and UDP port 242 o Refer to TCP port 244 o Refer to UDP port 246 o Refer to ICMP identifier 248 0 1 2 3 249 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ 251 | Type | Length | Extended-Type | Value..... 252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ 254 Type: 256 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 257 Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. 259 Length: 261 This field indicates the total length in octets of all fields this 262 attribute, including the Type, Length, Extended-Type, and Value. 264 Extended-Type: 266 This one octet filed indicates the IP port as follows: 268 TBA1-1: 270 Refer to TCP port, UDP port, and ICMP identifier as a whole. 272 TBA1-2: 274 Refer to TCP port and UDP port as a whole. 276 TBA1-3: 278 Refer to TCP port only. 280 TBA1-4: 282 Refer to UDP port only. 284 TBA1-5: 286 Refer to ICMP identifier only. 288 Value: 290 This field contains one or more octects, and the data format MUST 291 be a valid RADIUS data type. 293 The interpretation of this field is determined by the identifier 294 of "TBA1.{TBA1-1..TBA1-5} along with the embedded TLV. 296 3.2. IP-Port-Limit Attribute 298 This attribute contains an Extended-Type along with a TLV data type 299 with format defined in [RFC6929]. It specifies the maximum number of 300 IP ports for a user. 302 The IP-Port-Limit MAY appear in an Access-Accept packet, it MAY also 303 appear in an Access-Request packet as a hint by the device supporting 304 port ranges, which is co-allocated with the NAS, to the RADIUS server 305 as a preference, although the server is not required to honor such a 306 hint. 308 The IP-Port-Limit MAY appear in an CoA-Request packet. 310 The IP-Port-Limit MAY appear in an Accounting-Request packet. 312 The IP-Port-Limit MUST NOT appear in any other RADIUS packets. 314 The format of the IP-Port-Limit RADIUS attribute format is shown 315 below. The fields are transmitted from left to right. 317 0 1 2 3 318 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 319 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 320 | Type | Length | Extended-Type | TLV-Type | 321 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 322 | TLV-Length | IP-Port-Limit | 323 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 325 Type: 327 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 328 Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. 330 Length: 332 This field indicates the total length in octets of all fields of 333 this attribute, including the Type, Length, Extended-Type, and the 334 entire length of the embedded TLV. 336 Extended-Type: 338 This one octet field contains a value that indicates the IP port 339 type, refer to Section 3.1 for details. 341 TLV-Type: 343 TBA2: for IP-Port-Limit TLV. 345 TLV-Length: 347 4. 349 IP-Port-Limit: 351 This field contains the maximum number of IP ports of which, the 352 port type is specified by the value contained in the Extended-Type 353 field. 355 Note this field is semantically associated with the identifier 356 "TBA1.{TBA1-1..TBA1-5}. 358 3.3. IP-Port-Range Attribute 360 This attribute contains an Extended-Type along with a TLV data type 361 with format defined in [RFC6929]. It contains a range of numbers for 362 IP ports allocated by a device supporting port ranges for a given 363 subscriber along with an external IPv4 address. 365 In some CGN deployment scenarios as described such as L2NAT 366 [I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight 367 4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise 368 such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 369 prefix, VRF ID, etc., may also be required to pass to the RADIUS 370 server as part of the accounting record. 372 The IP-Port-Range MAY appear in an Accounting-Request packet. 374 The IP-Port-Range MUST NOT appear in any other RADIUS packets. 376 The format of the IP-Port-Range RADIUS attribute format is shown 377 below. The fields are transmitted from left to right. 379 0 1 2 3 380 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 381 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 382 | Type | Length | Extended-Type | TLV-Type | 383 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 384 | TLV-Length | Reserved | Port Range Start | 385 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 386 | Port range End | External IPv4 Address | 387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 388 | External IPv4 Address | Local Session ID .... 389 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 391 Type: 393 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 394 Type-3 (243), or Extended-Type-4 (244) per [RFC6929] 396 Length: 398 This field indicates the total length in octets of all fields of 399 this attribute, including the Type, Length, Extended-Type, and the 400 entire length of the embedded TLV. 402 Extended-Type: 404 This one octet field contains a value that indicates the IP port 405 type, refer to Section 3.1 for details. 407 TLV-Type: 409 TBA3: 411 Allocation for IP-Port-Range TLV. 413 TBA4: 415 De-allocation for IP-Port-Range TLV. 417 TLV-Length: 419 >=11. 421 Reserved: 423 This field MUST be set to zero by the sender and ignored by the 424 receiver. 426 Port Range Start: 428 This field contains the smallest IP port number, as specified in 429 the Extended-Type, in the IP port range. 431 Port Range End: 433 This field contains the largest IP port number, as specified in 434 the Extended-Type, in the IP port range. 436 External IPv4 Address: 438 This field contains the IPv4 address assigned to the associated 439 subscriber to be used in the external realm. If set to 0.0.0.0, 440 the allocation address policy is local to the device supporting 441 port ranges. 443 Local Session ID: 445 This is an optional field and if presents, it contains a local 446 session identifier at the customer premise, such as MAC address, 447 interface ID, VLAN ID, PPP sessions ID, VRF ID, IPv6 address/ 448 prefix, etc. The length of this field equals to the value in the 449 TLV Length field minus 11 octets. If this field is not present, 450 the port range policies must be enforced to all subscribers using 451 a local subscriber identifier. 453 Note the data group in the "TLV Value" field above (i.e., "Port Range 454 Start", "Port Range End", "External IPv4 Address", and "Local Session 455 ID") is indicated by the identifier 456 TBA1.{TBA1-1..TBA1-5}.{TBA3..TBA4}. 458 3.4. IP-Port-Forwarding-Map Attribute 460 This attribute contains an Extended-Type along with a TLV data type 461 with format defined in [RFC6929]. It contains a 16-bit Internal Port 462 that identifies the source TCP/UDP port number of an IP packet sent 463 by the user, or the destination port number of an IP packet destined 464 to the user, and in both cases, the IP packet travels behind the NAT 465 device. Also it contains a 16-bit Configured External Port that 466 identifies the source TCP/UDP port number of an IP packet sent by the 467 user, or the destination port number of an IP packet destined to the 468 user, and in both cases, the IP packet travels outside of the NAT 469 device. In addition, the attribute may contain a 32-bit IPv4 address 470 or a 128-bit IPv6 address, respectively, as their respective NAT 471 mappings internal IP address. Together, the port pair and IP address 472 determine the port mapping rule for a specific IP flow that traverses 473 a NAT device. 475 The attribute MAY appear in an Access-Accept packet, and may also 476 appear in an Accounting-Request packet. In either case, the 477 attribute MUST NOT appear more than once in a single packet. 479 The attribute MUST NOT appear in any other RADIUS packets. 481 The format of the Port-Forwarding-Map RADIUS attribute format is 482 shown below. The fields are transmitted from left to right. 484 0 1 2 3 485 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 486 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 487 | Type | Length | Extended-Type | TLV-Type | 488 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 489 | TLV-Length | Resevered | Internal Port | 490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 491 | Configured External Port | Internal IP Address ..... 492 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 494 Type: 496 Type: 498 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 499 Type-3 (243), or Extended-Type-4 (244) per [RFC6929] 501 Length: 503 This field indicates the total length in octets of all fields of 504 this attribute, including the Type, Length, Extended-Type, and the 505 entire length of the embedded TLV. 507 Extended-Type: 509 This one octet field contains a value that indicates the IP port 510 type, refer to Section 3.1 for details. 512 TLV-Type: 514 TBA5 - It indicates IP port mapping, and the associated internal 515 IP address is an IPv4 or IPv6 address, or not included. 517 TLV-Length: 519 >=7. 521 Reserved: 523 This field is set to zero by the sender and ignored by the 524 receiver. 526 Internal Port: 528 This field contains the internal port for the CGN mapping. 530 Configured External Port: 532 This field contains the external port for the CGN mapping. 534 Internal IP Address: 536 This field may or may not present, and when it does, contains the 537 internal IPv4 or IPv6 address for the CGN mapping. Its length 538 equal to the value in the TLV Length field minus 7. 540 Note the data group in the "TLV Value" field above (i.e., "Internal 541 Port", "Configured External Port", and "Internal IP Address") is 542 indicated by the identifier TBA1.{TBA1-1..TBA1-5}.TBA5. 544 4. Applications, Use Cases and Examples 546 This section describes some applications and use cases to illustrate 547 the use of the attributes propsoed in this document. 549 4.1. Managing CGN Port Behavior using RADIUS 551 In a broadband network, customer information is usually stored on a 552 RADIUS server, and the BNG hosts the NAS. The communication between 553 the NAS and the RADIUS server is triggered by a subscriber when the 554 user signs in to the Internet service, where either PPP or DHCP/ 555 DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access- 556 Request message to the RADIUS server. The RADIUS server validates 557 the request, and if the validation succeeds, it in turn sends back a 558 RADIUS Access-Accept message. The Access-Accept message carries 559 configuration information specific to that user, back to the NAS, 560 where some of the information would pass on to the requesting user 561 via PPP or DHCP/DHCPv6. 563 A CGN function in a broadband network would most likely reside on a 564 BNG. In that case, parameters for CGN port/identifier mapping 565 behavior for users can be configured on the RADIUS server. When a 566 user signs in to the Internet service, the associated parameters can 567 be conveyed to the NAS, and proper configuration is accomplished on 568 the CGN device for that user. 570 Also, CGN operation status such as CGN port/identifier allocation and 571 de-allocation for a specific user on the BNG can also be transmitted 572 back to the RADIUS server for accounting purpose using the RADIUS 573 protocol. 575 RADIUS protocol has already been widely deployed in broadband 576 networks to manage BNG, thus the functionality described in this 577 specification introduces little overhead to the existing network 578 operation. 580 In the following sub-sections, we describe how to manage CGN behavior 581 using RADIUS protocol, with required RADIUS extensions proposed in 582 Section 3. 584 4.1.1. Configure IP Port Limit for a User 586 In the face of IPv4 address shortage, there are currently proposals 587 to multiplex multiple subscribers' connections over a smaller number 588 of shared IPv4 addresses, such as Carrier Grade NAT [RFC6888], Dual- 589 Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single 590 IPv4 public address may be shared by hundreds or even thousands of 591 subscribers. As indicated in [RFC6269], it is therefore necessary to 592 impose limits on the total number of ports available to an individual 593 subscriber to ensure that the shared resource, i.e., the IPv4 address 594 remains available in some capacity to all the subscribers using it, 595 and port limiting is also documented in [RFC6888] as a requirement. 597 The IP port limit imposed to a specific subscriber may be on the 598 total number of TCP and UDP ports plus the number of ICMP 599 identifiers, or with other granularities as defined in Section 3.2. 601 The per-subscriber based IP port limit is configured on a RADIUS 602 server, along with other user information such as credentials. The 603 value of these IP port limit is based on service agreement and its 604 specification is out of the scope of this document. 606 When a subscriber signs in to the Internet service successfully, the 607 IP port limit for the subscriber is passed to the BNG based NAS, 608 where CGN also locates, using a new RADIUS attribute called IP-Port- 609 Limit (defined in Section 3.2), along with other configuration 610 parameters. While some parameters are passed to the subscriber, the 611 IP port limit is recorded on the CGN device for imposing the usage of 612 TCP/UDP ports and ICMP identifiers for that subscriber. 614 Figure 1 illustrates how RADIUS protocol is used to configure the 615 maximum number of TCP/UDP ports for a given subscriber on a NAT44 616 device. 618 User NAT44/NAS AAA 619 | BNG Server 620 | | | 621 | | | 622 |----Service Request------>| | 623 | | | 624 | |-----Access-Request -------->| 625 | | | 626 | |<----Access-Accept-----------| 627 | | (IP-Port-Limit) | 628 | | (for TCP/UDP ports) | 629 |<---Service Granted ------| | 630 | (other parameters) | | 631 | | | 632 | (NAT44 external port | 633 | allocation and | 634 | IPv4 address assignment) | 635 | | | 637 Figure 1: RADIUS Message Flow for Configuring NAT44 Port Limit 639 The IP port limit created on a CGN device for a specific user using 640 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 641 that carries the same RADIUS attribute. The CoA message may be sent 642 from the RADIUS server directly to the NAS, which once accepts and 643 sends back a RADIUS CoA ACK message, the new IP port limit replaces 644 the previous one. 646 Figure 2 illustrates how RADIUS protocol is used to increase the TCP/ 647 UDP port limit from 1024 to 2048 on a NAT44 device for a specific 648 user. 650 User NAT/NAS AAA 651 | BNG Server 652 | | | 653 | TCP/UDP Port Limit (1024) | 654 | | | 655 | |<---------CoA Request----------| 656 | | (IP-Port-Limit) | 657 | | (for TCP/UDP ports) | 658 | | | 659 | TCP/UDP Port Limit (2048) | 660 | | | 661 | |---------CoA Response--------->| 662 | | | 664 Figure 2: RADIUS Message Flow for changing a user's NAT44 port limit 666 4.1.2. Report IP Port Allocation/De-allocation 668 Upon obtaining the IP port limit for a subscriber, the CGN device 669 needs to allocate a TCP/UDP port or an ICMP identifiers for the 670 subscriber when receiving a new IP flow sent from that subscriber. 672 As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP 673 identifiers once at a time for a specific user, instead of one port/ 674 identifier at a time, and within each port bulk, the ports/ 675 identifiers may be randomly distributed or in consecutive fashion. 676 When a CGN device allocates bulk of TCP/UDP ports and ICMP 677 identifiers, the information can be easily conveyed to the RADIUS 678 server by a new RADIUS attribute called the IP-Port-Range (defined in 679 Section 3.3). The CGN device may allocate one or more TCP/UDP port 680 ranges or ICMP identifier ranges, or generally called IP port ranges, 681 where each range contains a set of numbers representing TCP/UDP ports 682 or ICMP identifiers, and the total number of ports/identifiers must 683 be less or equal to the associated IP port limit imposed for that 684 subscriber. A CGN device may choose to allocate a small port range, 685 and allocate more at a later time as needed; such practice is good 686 because its randomization in nature. 688 At the same time, the CGN device also needs to decide the shared IPv4 689 address for that subscriber. The shared IPv4 address and the pre- 690 allocated IP port range are both passed to the RADIUS server. 692 When a subscriber initiates an IP flow, the CGN device randomly 693 selects a TCP/UDP port or ICMP identifier from the associated and 694 pre-allocated IP port range for that subscriber to replace the 695 original source TCP/UDP port or ICMP identifier, along with the 696 replacement of the source IP address by the shared IPv4 address. 698 A CGN device may decide to "free" a previously assigned set of TCP/ 699 UDP ports or ICMP identifiers that have been allocated for a specific 700 subscriber but not currently in use, and with that, the CGN device 701 must send the information of the de-allocated IP port range along 702 with the shared IPv4 address to the RADIUS server. 704 Figure 3 illustrates how RADIUS protocol is used to report a set of 705 ports allocated and de-allocated, respectively, by a NAT44 device for 706 a specific user to the RADIUS server. 708 Host NAT44/NAS AAA 709 | BNG Server 710 | | | 711 | | | 712 |----Service Request------>| | 713 | | | 714 | |-----Access-Request -------->| 715 | | | 716 | |<----Access-Accept-----------| 717 |<---Service Granted ------| | 718 | (other parameters) | | 719 ... ... ... 720 | | | 721 | | | 722 | (NAT44 decides to allocate | 723 | a TCP/UDP port range for the user) | 724 | | | 725 | |-----Accounting-Request----->| 726 | | (IP-Port-Range | 727 | | for allocation) | 728 ... ... ... 729 | | | 730 | (NAT44 decides to de-allocate | 731 | a TCP/UDP port range for the user) | 732 | | | 733 | |-----Accounting-Request----->| 734 | | (IP-Port-Range | 735 | | for de-allocation) | 736 | | | 738 Figure 3: RADIUS Message Flow for reporting NAT44 allocation/de- 739 allocation of a port set 741 4.1.3. Configure Forwarding Port Mapping 743 In most scenarios, the port mapping on a NAT device is dynamically 744 created when the IP packets of an IP connection initiated by a user 745 arrives. For some applications, the port mapping needs to be pre- 746 defined allowing IP packets of applications from outside a CGN device 747 to pass through and "port forwarded" to the correct user located 748 behind the CGN device. 750 Port Control Protocol [RFC6887], provides a mechanism to create a 751 mapping from an external IP address and port to an internal IP 752 address and port on a CGN device just to achieve the "port 753 forwarding" purpose. PCP is a server-client protocol capable of 754 creating or deleting a mapping along with a rich set of features on a 755 CGN device in dynamic fashion. In some deployment, all users need is 756 a few, typically just one pre-configured port mapping for 757 applications such as web cam at home, and the lifetime of such a port 758 mapping remains valid throughout the duration of the customer's 759 Internet service connection time. In such an environment, it is 760 possible to statically configure a port mapping on the RADIUS server 761 for a user and let the RADIUS protocol to propagate the information 762 to the associated CGN device. 764 Figure 4 illustrates how RADIUS protocol is used to configure a 765 forwarding port mapping on a NAT44 device by using RADIUS protocol. 767 Host NAT/NAS AAA 768 | BNG Server 769 | | | 770 |----Service Request------>| | 771 | | | 772 | |---------Access-Request------->| 773 | | | 774 | |<--------Access-Accept---------| 775 | | (IP-Port-Forwarding-Map) | 776 |<---Service Granted ------| | 777 | (other parameters) | | 778 | | | 779 | (Create a port mapping | 780 | for the user, and | 781 | associate it with the | 782 | internal IP address | 783 | and external IP address) | 784 | | | 785 | | | 786 | |------Accounting-Request------>| 787 | | (IP-Port-Forwarding-Map) | 789 Figure 4: RADIUS Message Flow for configuring a forwarding port 790 mapping 792 A port forwarding mapping that is created on a CGN device using 793 RADIUS extension as described above may also be changed using RADIUS 794 CoA message [RFC5176] that carries the same RADIUS associate. The 795 CoA message may be sent from the RADIUS server directly to the NAS, 796 which once accepts and sends back a RADIUS CoA ACK message, the new 797 port forwarding mapping then replaces the previous one. 799 Figure 5 illustrates how RADIUS protocol is used to change an 800 existing port mapping from (a:X) to (a:Y), where "a" is an internal 801 port, and "X" and "Y" are external ports, respectively, for a 802 specific user with a specific IP address 803 Host NAT/NAS AAA 804 | BNG Server 805 | | | 806 | Internal IP Address | 807 | Port Map (a:X) | 808 | | | 809 | |<---------CoA Request----------| 810 | | (IP-Port-Forwarding-Map) | 811 | | | 812 | Internal IP Address | 813 | Port Map (a:Y) | 814 | | | 815 | |---------CoA Response--------->| 816 | | (IP-Port-Forwarding-Map) | 818 Figure 5: RADIUS Message Flow for changing a user's forwarding port 819 mapping 821 4.1.4. An Example 823 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 824 subscriber Joe. This number is the limit that can be used for TCP/UDP 825 ports on a NAT44 device for Joe, and is configured on a RADIUS 826 server. Also, Joe asks for a pre-defined port forwarding mapping on 827 the NAT44 device for his web cam applications (external port 5000 828 maps to internal port 80). 830 When Joe successfully connects to the Internet service, the RADIUS 831 server conveys the TCP/UDP port limit (1000) and the forwarding port 832 mapping (external port 5000 to internal port 80) to the NAT44 device, 833 using IP-Port-Limit attribute and IP-Port-Forwarding-Map attribute, 834 respectively, carried by an Access-Accept message to the BNG where 835 NAS and CGN co-located. 837 Upon receiving the first outbound IP packet sent from Joe's laptop, 838 the NAT44 device decides to allocate a small port pool that contains 839 40 consecutive ports, from 3500 to 3540, inclusively, and also assign 840 a shared IPv4 address 192.0.2.15, for Joe. The NAT44 device also 841 randomly selects one port from the allocated range (say 3519) and use 842 that port to replace the original source port in outbound IP packets. 844 For accounting purpose, the NAT44 device passes this port range 845 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 846 RADIUS server using IP-Port-Range attribute carried by an Accounting- 847 Request message. 849 When Joe works on more applications with more outbound IP sessions 850 and the port pool (3500-3540) is close to exhaust, the NAT44 device 851 allocates a second port pool (8500-8800) in a similar fashion, and 852 also passes the new port range (8500-8800) and IPv4 address 853 192.0.2.15 together to the RADIUS server using IP-Port-Range 854 attribute carried by an Accounting-Request message. Note when the 855 CGN allocates more ports, it needs to assure that the total number of 856 ports allocated for Joe is within the limit. 858 Joe decides to upgrade his service agreement with more TCP/UDP ports 859 allowed (up to 1000 ports). The ISP updates the information in Joe's 860 profile on the RADIUS server, which then sends a CoA-Request message 861 that carries the IP-Port-Limit attribute with 1000 ports to the NAT44 862 device; the NAT44 device in turn sends back a CoA-ACK message. With 863 that, Joe enjoys more available TCP/UDP ports for his applications. 865 When Joe travels, most of the IP sessions are closed with their 866 associated TCP/UDP ports released on the NAT44 device, which then 867 sends the relevant information back to the RADIUS server using IP- 868 Port-Range attribute carried by Accounting-Request message. 870 Throughout Joe's connection with his ISP Internet service, 871 applications can communicate with his web cam at home from external 872 realm directly traversing the pre-configured mapping on the CGN 873 device. 875 When Joe disconnects from his Internet service, the CGN device will 876 de-allocate all TCP/UDP ports as well as the port-forwarding mapping, 877 and send the relevant information to the RADIUS server. 879 4.2. Report Assigned Port Set for a Visiting UE 881 Figure 6 illustrates an example of the flow exchange which occurs 882 when a visiting UE connects to a CPE offering Wi-Fi service. 884 For identification purposes (see [RFC6967]), once the CPE assigns a 885 port set, it issues a RADIUS message to report the assigned port set. 887 UE CPE NAS AAA 888 | BNG Server 889 | | | 890 | | | 891 |----Service Request------>| | 892 | | | 893 | |-----Access-Request -------->| 894 | | | 895 | |<----Access-Accept-----------| 896 |<---Service Granted ------| | 897 | (other parameters) | | 898 ... | ... ... 899 |<---IP@----| | | 900 | | | | 901 | (CPE assigns a TCP/UDP port | 902 | range for this visiting UE) | 903 | | | 904 | |--Accounting-Request-...------------------->| 905 | | (IP-Port-Range | 906 | | for allocation) | 907 ... | ... ... 908 | | | | 909 | | | | 910 | (CPE withdraws a TCP/UDP port | 911 | range for a visiting UE) | 912 | | | 913 | |--Accounting-Request-...------------------->| 914 | | (IP-Port-Range | 915 | | for de-allocation) | 916 | | | 918 Figure 6: RADIUS Message Flow for reporting CPE allocation/de- 919 allocation of a port set to a visiting UE 921 5. Table of Attributes 923 This document proposes three new RADIUS attributes and their formats 924 are as follows: 926 o IP-Port-Limit: TBA1.{TBA!-1 .. TBA1-5}.TBA2 928 o IP-Port-Range: TBA1.{TBA1-1 .. TBA1-5}.{TBA3 .. TBA4} 930 o IP-Port-Forwarding-Map: TBA.1{TBA1-1 .. TBA1-5}.TBA5 932 The following table provides a guide as what type of RADIUS packets 933 that may contain these attributes, and in what quantity. 935 Request Accept Reject Challenge Acct. # Attribute 936 Request 937 0-1 0-1 0 0 0-1 TBA IP-Port-Limit 938 0 0 0 0 0-1 TBA IP-Port-Range 939 0-1 0-1 0 0 0-1 TBA IP-Port-Forwarding-Map 941 The following table defines the meaning of the above table entries. 943 0 This attribute MUST NOT be present in packet. 944 0+ Zero or more instances of this attribute MAY be present in 945 packet. 946 0-1 Zero or one instance of this attribute MAY be present in packet. 948 6. Security Considerations 950 This document does not introduce any security issue than what has 951 been identified in [RFC2865]. 953 7. IANA Considerations 955 This document requires new code point assignment for the new RADIUS 956 attributes as follows: 958 o TBA1 (refer to Section 3.1): This value is for the Radius Type 959 field and should be allocated from the number space of Extended- 960 Type-1 (241), Extended-Type-2 (242), Extended-Type-3 (243), or 961 Extended-Type-4 (244) per [RFC6929]. 963 o TBA1-1, TBA1-2, TBA1-3, TBA1-4, and TBA1-5 (refer to Section 3.1): 964 These values are for the Radius Extended Type field that are 965 associated with TBA1. 967 o TBA2 (refer to Section 3.2): This value is for the TLV field and 968 specifies the limit of the IP port imposed to a user. 970 o TBA3 (refer to Section 3.3): This value is for the TLV field and 971 specifies the allocation action of IP ports by a port device 972 (e.g., a CGN) for a user. 974 o TBA4 (refer to Section 3.3): This value is for the TLV field and 975 specifies the de-allocation action of IP ports by a port device 976 (e.g., a CGN) for a user. 978 o TBA5(refer to Section 3.4): This value is for the TLV field and 979 specifies the mapping action on IP port by a port device (e.g., a 980 CGN) for a user. 982 8. Acknowledgements 984 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 985 Thaler, Alan Dekok, and Lionel Morand for their useful comments and 986 suggestions. 988 9. References 990 9.1. Normative References 992 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 993 E. Lear, "Address Allocation for Private Internets", BCP 994 5, RFC 1918, February 1996. 996 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 997 Requirement Levels", BCP 14, RFC 2119, March 1997. 999 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1000 June 1999. 1002 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1003 "Remote Authentication Dial In User Service (RADIUS)", RFC 1004 2865, June 2000. 1006 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1007 Aboba, "Dynamic Authorization Extensions to Remote 1008 Authentication Dial In User Service (RADIUS)", RFC 5176, 1009 January 2008. 1011 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1012 Service (RADIUS) Protocol Extensions", RFC 6929, April 1013 2013. 1015 9.2. Informative References 1017 [I-D.gundavelli-v6ops-community-wifi-svcs] 1018 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1019 "Service Provider Wi-Fi Services Over Residential 1020 Architectures", draft-gundavelli-v6ops-community-wifi- 1021 svcs-06 (work in progress), April 2013. 1023 [I-D.ietf-softwire-lw4over6] 1024 Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and 1025 I. Farrer, "Lightweight 4over6: An Extension to the DS- 1026 Lite Architecture", draft-ietf-softwire-lw4over6-08 (work 1027 in progress), March 2014. 1029 [I-D.miles-behave-l2nat] 1030 Miles, D. and M. Townsley, "Layer2-Aware NAT", draft- 1031 miles-behave-l2nat-00 (work in progress), March 2009. 1033 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1034 Address Translator (Traditional NAT)", RFC 3022, January 1035 2001. 1037 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1038 NAT64: Network Address and Protocol Translation from IPv6 1039 Clients to IPv4 Servers", RFC 6146, April 2011. 1041 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 1042 Roberts, "Issues with IP Address Sharing", RFC 6269, June 1043 2011. 1045 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1046 Stack Lite Broadband Deployments Following IPv4 1047 Exhaustion", RFC 6333, August 2011. 1049 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 1050 Operation of Address Translators with Per-Interface 1051 Bindings", RFC 6619, June 2012. 1053 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 1054 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 1055 2013. 1057 [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., 1058 and H. Ashida, "Common Requirements for Carrier-Grade NATs 1059 (CGNs)", BCP 127, RFC 6888, April 2013. 1061 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1062 "Analysis of Potential Solutions for Revealing a Host 1063 Identifier (HOST_ID) in Shared Address Deployments", RFC 1064 6967, June 2013. 1066 Authors' Addresses 1068 Dean Cheng 1069 Huawei 1070 2330 Central Expressway 1071 Santa Clara, California 95050 1072 USA 1074 Email: dean.cheng@huawei.com 1075 Jouni Korhonen 1076 Broadcom 1077 Porkkalankatu 24 1078 FIN-00180 Helsinki 1079 Finland 1081 Email: jouni.nospam@gmail.com 1083 Mohamed Boucadair 1084 France Telecom 1085 Rennes 1086 France 1088 Email: mohamed.boucadair@orange.com 1090 Senthil Sivakumar 1091 Cisco Systems 1092 7100-8 Kit Creek Road 1093 Research Triangle Park, North Carolina 1094 USA 1096 Email: ssenthil@cisco.com