idnits 2.17.1 draft-ietf-behave-lsn-requirements-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (March 12, 2011) is 4793 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-shirasaki-nat444-isp-shared-addr-05 == Outdated reference: A later version (-04) exists of draft-ietf-intarea-server-logging-recommendations-03 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Perreault, Ed. 3 Internet-Draft Viagenie 4 Intended status: BCP I. Yamagata 5 Expires: September 13, 2011 S. Miyakawa 6 NTT Communications 7 A. Nakagawa 8 Japan Internet Exchange (JPIX) 9 H. Ashida 10 iTSCOM 11 March 12, 2011 13 Common requirements for IP address sharing schemes 14 draft-ietf-behave-lsn-requirements-01 16 Abstract 18 This document defines common requirements for Carrier-Grade NAT (CGN) 19 devices. 21 Status of this Memo 23 This Internet-Draft is submitted to IETF in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on September 13, 2011. 44 Copyright Notice 46 Copyright (c) 2011 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 3. Requirements for CGN devices . . . . . . . . . . . . . . . . . 4 64 4. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 5. Bulk Port Allocation . . . . . . . . . . . . . . . . . . . . . 7 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 67 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 68 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 69 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 71 9.2. Informative Reference . . . . . . . . . . . . . . . . . . 9 72 Appendix A. Change Log (to be removed by RFC Editor prior to 73 publication) . . . . . . . . . . . . . . . . . . . . 10 74 A.1. Changed in -01 . . . . . . . . . . . . . . . . . . . . . . 10 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 77 1. Introduction 79 With the shortage of IPv4 addresses, it is expected that more ISPs 80 may want to provide a service where a public IPv4 address would be 81 shared by many subscribers (also known as NAT444 82 [I-D.shirasaki-nat444-isp-shared-addr]). Each subscriber is assigned 83 a private address, and a NAT device situated in the ISPs network 84 translates between private and public addresses. 86 This is not to be considered a solution to the shortage of IPv4 87 addresses. It is a service that can conceivably be offered alongside 88 others, such as IPv6 services or regular, un-NATed IPv4 service. 89 Some ISPs started offering such a service long before there was a 90 shortage of IPv4 addresses, showing that there are driving forces 91 other than the shortage of IPv4 addresses. 93 This document describes behavioural requirements that are to be 94 expected of those ISP-controlled NAT devices. Meeting this set of 95 requirements will greatly increase the likelihood that subscribers' 96 applications will function properly. 98 Readers should be aware of potential issues that may arise when 99 sharing public address between many subscribers. See 100 [I-D.ford-shared-addressing-issues] for details. 102 This document builds upon previous works describing requirements for 103 generic NAT devices.[RFC4787][RFC5382][RFC5508]. These documents 104 still apply in this context. What follows are additional 105 requirements, to be satisfied on top of previous ones. 107 2. Terminology 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 111 document are to be interpreted as described in [RFC2119]. 113 Readers are expected to be familiar with [RFC4787] and the terms 114 defined there. The following term is used in this document: 116 Carrier-Grade NAT (CGN): NAT device placed between a subscriber and 117 the Internet in an ISP's network. A CGN translates IP addresses 118 and transport-protocol port numbers in the packets that it 119 forwards across the border between the internal and external 120 realms. 122 Note that the term "carrier-grade" has nothing to do with the 123 quality of the NAT device; that is left to discretion of 124 implementors. Rather, it is to be understood as a topological 125 qualifier: the NAT device is placed in an ISP's network and 126 translates the traffic of potentially many subscribers. Those 127 have limited or no control over the CGN, whereas they typically 128 have full control over a NAT placed on their premises. 130 Figure 1 summarises the network topology in which CGN devices 131 operate. 133 . 134 : 135 | Internet 136 ............... | ................... 137 | ISP network 138 | 139 | 140 ++------++ External realm 141 ........... | CGN |............... 142 ++------++ Internal realm 143 | | 144 | | 145 | | ISP network 146 ............. | .. | ................ 147 | | Customer premises 148 ++------++ ++------++ 149 | CPE1 | | CPE2 | etc. 150 ++------++ ++------++ 152 Figure 1: CGN network topology 154 3. Requirements for CGN devices 156 What follows is a list of requirements for CGN devices. They are in 157 addition to those found in other documents such as [RFC4787], 158 [RFC5382], and [RFC5508]. 160 REQ-1: A CGN MUST have an "IP address pooling" behaviour of 161 "Paired". 163 Justification: This is a stronger form of REQ-2 from [RFC4787]. 165 Note that this requirement applies regardless of the transport 166 protocol. In other words, a CGN must use the same external IP 167 address mapping for all sessions associated with the same internal 168 IP address, be they TCP, UDP, ICMP, something else, or a mix of 169 different protocols. 171 REQ-2: A CGN SHOULD limit the number of external ports (or, 172 equivalently, "identifiers" for ICMP) that are assigned per CPE. 174 A. Limits SHOULD be configurable by the CGN administrator. 176 B. Limits MAY be configured and applied independently per 177 transport protocol. 179 C. Additionally, it SHOULD be possible to limit the rate at which 180 external ports are allocated. 182 Justification: A CGN can be considered a network resource that is 183 shared by competing subscribers. Limiting the number of external 184 ports assigned to each CPE mitigates the DoS attack that a 185 subscriber could launch against the CGN in order to get a larger 186 share of the resource. It ensures fairness among subscribers. 187 Limiting the rate of allocation is intended to further help 188 mitigate DoS attacks. 190 REQ-3: A CGN SHOULD limit the number of TCP sessions per CPE. 192 A. Limits SHOULD be configurable by the CGN administrator. 194 B. Additionally, it SHOULD be possible to limit the rate at which 195 TCP sessions are instanciated. 197 Justification: A NAT needs to keep track of TCP sessions associated 198 to each mapping. This state consumes resources for which, in the 199 case of a CGN, subscribers may compete. It is necessary to ensure 200 that each subscriber has access to a faire share of the CGN's 201 resources. Limiting TCP sessions per CPE and per time unit is an 202 effective mitigation against inter-subscriber DoS attacks. 203 Limiting the rate of TCP session instanciation is intended to 204 further help mitigate DoS attacks. 206 REQ-4: It SHOULD be possible to administratively turn off 207 translation for specific destination addresses and/or ports. 209 Justification: It is common for a CGN administrator to provide 210 access for subscribers to servers installed in the ISP's network, 211 in the external realm. When such a server is able to reach the 212 internal realm via normal routing (which is entirely controlled by 213 the ISP), translation is unneeded. In that case, the CGN may 214 forward packets without modification, thus acting like a plain 215 router. This may represent an important efficiency gain. 217 Figure 2 illustrates this use-case. 219 X1:x1 X1':x1' X2:x2 220 +---+from X1:x1 +---+from X1:x1 +---+ 221 | | to X2:x2 | | to X2:x2 | S | 222 | C |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 223 | P | | G | | r | 224 | E |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 225 | |from X2:x2 | |from X2:x2 | e | 226 | | to X1:x1 | | to X1:x1 | r | 227 +---+ +---+ +---+ 229 Figure 2: CGN pass-through 231 REQ-5: It is RECOMMENDED that a CGN have an "Endpoint-Independent 232 Filtering" behaviour. 234 Justification: This is a stronger form of REQ-8 from [RFC4787]. An 235 "Address-Dependent Filtering" behaviour is NOT RECOMMENDED. This 236 is based on the observation that some games and peer-to-peer 237 applications require EIF for the NAT traversal to work. In the 238 context of a CGN it is important to minimise application breakage. 240 REQ-6: When a CGN loses state (due to a crash, reboot, failover to a 241 cold standby, etc.), it MUST start using a different external 242 address pool. 244 Justification: This is necessary in order to prevent collisions 245 between old and new mappings and sessions. It ensures that all 246 established sessions are broken instead of redirected to a 247 different peer. The previous address pool MAY of course be reused 248 after a second loss of state. 250 4. Logging 252 It may be necessary for CGN administrators to be able to identify a 253 subscriber based on external IPv4 address, port, and timestamp in 254 order to deal with abuse and lawful intercept requests. When 255 multiple subscribers share a single external address, the source 256 address and port that are visible at the destination host have been 257 translated from the ones originated by the CPE. 259 In order to be able to do this, the CGN needs to log the following 260 information for each mapping created: 262 o internal source address 264 o internal source port 266 o external source address 268 o external source port 270 o destination address (but see below) 272 o destination port (but see below) 274 o timestamp 276 A disadvantage of this is that CGNs under heavy usage may produce 277 large amounts of logs, which may require large storage volume. 279 Readers should be aware of logging recommendations for Internet- 280 facing servers [I-D.ietf-intarea-server-logging-recommendations]. 281 With compliant servers, the destination address and port do not need 282 to be logged by the CGN. This can help reduce the amount of logging. 284 5. Bulk Port Allocation 286 So far we have assumed that a CGN allocates one external port for 287 every outgoing connection. In this section, the impacts of 288 allocating multiple external ports at a time are discussed. 290 There is a range of things a CGN can do: 292 1. For every outgoing connection, allocate one external port. 294 2. For an outgoing connection, create a "bin" of several random 295 external ports. Subsequent outgoing connections will use ports 296 from the "bin". When the "bin" is full, a new connection causes 297 a new bin to be created. A bin is smaller or equal to the user's 298 maximum port limit. 300 3. Same as (2), but the ports allocated to a "bin" are consecutive 301 instead of random. 303 Impacts are as follows. 305 Port Utilization: The mechanisms at the top of the list are very 306 efficient in their port utilization. In that sense, they have 307 good scaling properties (nothing is wasted). The mechanisms at 308 the bottom of the list will waste ports. The number of wasted 309 ports is proportional to size of the "bin". 311 Logging: Mechanism (1) creates a lot of log entries. Mechanisms (2) 312 and (3) create the same number of log entries, but (3)'s log 313 entries are smaller because a range can be expressed very 314 compactly by indicating a range (e.g. "12000-12009"). With large 315 "bin" sizes, the logging for mechanisms (2) and (3) can approach 316 the logging frequency of DHCP servers. 318 Mechanism (1) can log destinations while mechanisms (2) and (3) 319 cannot. This means that a CGN implementing one of the latter two 320 will rely on the remote peer to follow the recommendations in 321 [I-D.ietf-intarea-server-logging-recommendations]. If this is not 322 acceptable, mechanisms (2) and (3) cannot be used. 324 Security: Mechanisms (1) and (2) provide very good security in that 325 ports numbers are not easily guessed. Easily guessed port numbers 326 put subscribers at risk of the attacks described in [RFC6056]. 327 Mechanism (3) provides poor security to subscribers, especially if 328 the "bin" size is small. 330 6. IANA Considerations 332 There are no IANA considerations. 334 7. Security Considerations 336 If a malicious subscriber can spoof another subscriber's CPE, it may 337 cause a DoS to that subscriber by creating mappings up to the allowed 338 limit. Therefore, the CGN administrator SHOULD ensure that spoofing 339 is impossible. This can be accomplished with ingress filtering, as 340 described in [RFC2827]. 342 8. Acknowledgements 344 Thanks for the input and review by Tomohiro Nishitani, Yasuhiro 345 Shirasaki, Takeshi Tomochika, Kousuke Shishikura, Dai Kuwabara, 346 Tomoya Yoshida, Takanori Mizuguchi, Arifumi Matsumoto, Tomohiro 347 Fujisaki, Dan Wing, and Dave Thaler. Dan Wing contributed much of 348 section 5. 350 9. References 351 9.1. Normative References 353 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 354 Requirement Levels", BCP 14, RFC 2119, March 1997. 356 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 357 Defeating Denial of Service Attacks which employ IP Source 358 Address Spoofing", BCP 38, RFC 2827, May 2000. 360 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 361 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 362 RFC 4787, January 2007. 364 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 365 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 366 RFC 5382, October 2008. 368 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 369 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 370 April 2009. 372 [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- 373 Protocol Port Randomization", BCP 156, RFC 6056, 374 January 2011. 376 9.2. Informative Reference 378 [I-D.shirasaki-nat444-isp-shared-addr] 379 Shirasaki, Y., Miyakawa, S., Nakagawa, A., Yamaguchi, J., 380 and H. Ashida, "NAT444 addressing models", 381 draft-shirasaki-nat444-isp-shared-addr-05 (work in 382 progress), January 2011. 384 [I-D.ford-shared-addressing-issues] 385 Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 386 Roberts, "Issues with IP Address Sharing", 387 draft-ford-shared-addressing-issues-02 (work in progress), 388 March 2010. 390 [I-D.ietf-intarea-server-logging-recommendations] 391 Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 392 "Logging recommendations for Internet facing servers", 393 draft-ietf-intarea-server-logging-recommendations-03 (work 394 in progress), February 2011. 396 Appendix A. Change Log (to be removed by RFC Editor prior to 397 publication) 399 A.1. Changed in -01 401 o Terminology: LSN is now CGN. 403 o Imported all requirements from RFCs 4787, 5382, and 5508. This 404 allowed us to eliminate some duplication. 406 o Added references to 407 draft-ietf-intarea-server-logging-recommendations and 408 draft-ford-shared-addressing-issues. 410 o Incorporated a requirement from 411 draft-xu-behave-stateful-nat-standby-06. 413 Authors' Addresses 415 Simon Perreault (editor) 416 Viagenie 417 2875 boul. Laurier, suite D2-630 418 Quebec, QC G1V 2M2 419 Canada 421 Phone: +1 418 656 9254 422 Email: simon.perreault@viagenie.ca 423 URI: http://www.viagenie.ca 425 Ikuhei Yamagata 426 NTT Communications Corporation 427 Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku 428 Tokyo 108-8118 429 Japan 431 Phone: +81 50 3812 4704 432 Email: ikuhei@nttv6.jp 433 Shin Miyakawa 434 NTT Communications Corporation 435 Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku 436 Tokyo 108-8118 437 Japan 439 Phone: +81 50 3812 4695 440 Email: miyakawa@nttv6.jp 442 Akira Nakagawa 443 Japan Internet Exchange Co., Ltd. (JPIX) 444 Otemachi Building 21F, 1-8-1 Otemachi, Chiyoda-ku 445 Tokyo 100-0004 446 Japan 448 Phone: +81 90 9242 2717 449 Email: a-nakagawa@jpix.ad.jp 451 Hiroyuki Ashida 452 its communications Inc. 453 541-1 Ichigao-cho Aoba-ku 454 Yokohama 225-0024 455 Japan 457 Email: ashida@itscom.ad.jp