idnits 2.17.1 draft-ietf-radext-ip-port-radius-ext-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 12, 2014) is 3607 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2629 (Obsoleted by RFC 7749) ** Downref: Normative reference to an Informational RFC: RFC 5176 == Outdated reference: A later version (-13) exists of draft-ietf-softwire-lw4over6-10 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: December 14, 2014 Broadcom 6 M. Boucadair 7 France Telecom 8 S. Sivakumar 9 Cisco Systems 10 June 12, 2014 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-ietf-radext-ip-port-radius-ext-01 15 Abstract 17 This document defines three new RADIUS attributes. For devices that 18 implementing IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report TCP/UDP ports 20 and ICMP identifiers, as well as mapping behavior for specific hosts. 21 This mechanism can be used in various deployment scenarios such as 22 CGN (Carrier Grade NAT), NAT64, Provider WLAN Gateway, etc. 24 This document does not make any assumption about the deployment 25 context. 27 Requirements Language 29 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 30 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 31 document are to be interpreted as described in RFC 2119 [RFC2119]. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on December 14, 2014. 50 Copyright Notice 52 Copyright (c) 2014 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 70 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 71 3.1.1. Extended-Type and IP-Port-Type TLV . . . . . . . . . 6 72 3.1.2. IP-Port-Limit Attribute . . . . . . . . . . . . . . . 7 73 3.1.3. IP-Port-Range Attribute . . . . . . . . . . . . . . . 9 74 3.1.4. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 12 75 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 14 76 3.2.1. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 14 77 3.2.2. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 78 3.2.3. IP-Port-Int-IP-Addr TLV . . . . . . . . . . . . . . . 16 79 3.2.4. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 17 80 3.2.5. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 17 81 3.2.6. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 18 82 3.2.7. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 19 83 3.2.8. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 20 84 3.2.9. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 20 85 4. Applications, Use Cases and Examples . . . . . . . . . . . . 21 86 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 21 87 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 22 88 4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 24 89 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 25 90 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 27 91 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 28 92 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 29 93 6. Security Considerations . . . . . . . . . . . . . . . . . . . 30 94 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 95 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 96 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 97 9.1. Normative References . . . . . . . . . . . . . . . . . . 31 98 9.2. Informative References . . . . . . . . . . . . . . . . . 32 99 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 101 1. Introduction 103 In a broadband network, customer information is usually stored on a 104 RADIUS server [RFC2865] and at the time when a user initiates an IP 105 connection request, the RADIUS server will populate the user's 106 configuration information to the Network Access Server (NAS), which 107 is usually co-located with the Border Network Gateway (BNG), after 108 the connection request is granted. The Carrier Grade NAT (CGN) 109 function may also be implemented on the BNG, and therefore CGN TCP/ 110 UDP port (or ICMP identifier) mapping behavior can be configured on 111 the RADIUS server as part of the user profile, and populated to the 112 NAS in the same manner. In addition, during the operation, the CGN 113 can also convey port/identifier mapping behavior specific to a user 114 to the RADIUS server, as part of the normal RADIUS accounting 115 process. 117 The CGN device that communicates with a RADIUS server using RADIUS 118 extensions defined in this document may perform NAT44 [RFC3022], 119 NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function. 121 For the CGN case, when IP packets traverse a CGN device, it would 122 perform TCP/UDP source port mapping or ICMP identifier mapping as 123 required. A TCP/ UDP source port or ICMP identifier, along with 124 source IP address, destination IP address, destination port and 125 protocol identifier if applicable, uniquely identify a session. 126 Since the number space of TCP/UDP ports and ICMP identifiers in CGN's 127 external realm is shared among multiple users assigned with the same 128 IPv4 address, the total number of a user's simultaneous IP sessions 129 is likely to be subject to port quota (see Section 5 of [RFC6269]). 131 The attributes defined in this document may also be used to report 132 the assigned port range in some deployments such as Provider WLAN 133 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 134 host can be managed by a CPE (Customer Premises Equipment ) which 135 will need to report the assigned port range to the service platform. 136 This is required for identification purposes (see WT-146 for 137 example). 139 This document proposes three new attributes as RADIUS protocol's 140 extensions, and they are used for separate purposes as follows: 142 1. IP-Port-Limit: This attribute may be carried in RADIUS Acces- 143 Accept, Access-Request, Accounting-Request or CoA-Request packet. 144 The purpose of this attribute is to limit the total number of 145 TCP/UDP ports and/or ICMP identifiers that an IP subscriber can 146 use, associated with an IPv4 address. 148 2. IP-Port-Range: This attribute may be carried in RADIUS 149 Accounting-Request packet. The purpose of this attribute is to 150 report by an address sharing device (e.g., a CGN) to the RADIUS 151 server the range of TCP/UDP ports and/or ICMP identifiers that 152 have been allocated or deallocated associated with a given IPv4 153 address for a subscriber. 155 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 156 Access-Accept, Access-Request, Accounting-Request or CoA-Request 157 packet. The purpose of this attribute is to specify how a TCP/ 158 UDP port (or an ICMP identifier) mapping to another TCP/UDP port 159 (or an ICMP identifier), and each is associated with its 160 respective IPv4 address. 162 This document was constructed using the [RFC2629] . 164 2. Terminology 166 This document makes use if the following terms: 168 o IP Port: refers to the port numbers of IP transport protocols, 169 including TCP port, UDP port and ICMP identifier. 171 o IP Port Type: refers to one of the following: (1)TCP/UDP port and 172 ICMP identifier, (2)TCP port and UDP port, (3) TCP port, (4) UDP 173 port, or (5)ICMP identifier. 175 o IP Port Limit: denotes the maximum number of IP ports for a 176 specific port type, that a device supporting port ranges can use 177 when performing port number mapping for a specific user. 179 o IP Port Range: specifies a set of contiguous IP ports, indicated 180 by the smallest numerical number and the largest numerical number, 181 inclusively. 183 o Internal IP Address: refers to the IP address that is used as a 184 source IP address in an outbound IP packet sent towards a device 185 supporting port ranges in the internal realm. In the IPv4 case, 186 it is typically a private address [RFC1918]. 188 o External IP Address: refers to the IP address that is used as a 189 source IP address in an outbound IP packet after traversing a 190 device supporting port ranges in the external realm. In the IPv4 191 case, it is typically a global routable IP address. 193 o Internal Port: is a UDP or TCP port, or an ICMP identifier, which 194 is allocated by a host or application behind a device supporting 195 port ranges for an outbound IP packet in the internal realm. 197 o External Port: is a UDP or TCP port, or an ICMP identifier, which 198 is allocated by a device supporting port ranges upon receiving an 199 outbound IP packet in the internal realm, and is used to replace 200 the internal port that is allocated by a user or application. 202 o External realm: refers to the networking segment where IPv4 public 203 addresses are used in respective of the device supporting port 204 ranges. 206 o Internal realm: refers to the networking segment that is behind a 207 device supporting port ranges and where IPv4 private addresses are 208 used. 210 o Mapping: associates with a device supporting port ranges for a 211 relationship between an internal IP address, internal port and the 212 protocol, and an external IP address, external port, and the 213 protocol. 215 o Port-based device: a device that is capable of providing IP 216 address and IP port mapping services and in particular, with the 217 granularity of one or more subsets within the 16-bit IP port 218 number range. A typical example of this device is a CGN, CPE, 219 Provider WLAN Gateway, etc. 221 Note the terms "internal IP address", "internal port", "internal 222 realm", "external IP address", "external port", "external realm", and 223 "mapping" and their semantics are the same as in [RFC6887], and 224 [RFC6888]. 226 3. Extensions of RADIUS Attributes and TLVs 228 These three new attributes are defined in the following sub-sections: 230 1. IP-Port-Limit Attribute 232 2. IP-Port-Range Attribute 234 3. IP-Port-Forwarding-Map Attribute 236 All these attributes are allocated from the RADIUS "Extended Type" 237 code space per [RFC6929]. 239 3.1. Extended Attributes for IP Ports 241 3.1.1. Extended-Type and IP-Port-Type TLV 243 This section defines a new Extended-Type and an IP-Port-Type TLV (see 244 Figure 1). 246 The IP port type may be one of the following: 248 o TCP port, UDP port, and ICMP identifier 250 o TCP port and UDP port 252 o TCP port 254 o UDP port 256 o ICMP identifier 258 0 1 2 3 259 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | Type | Length | Extended-Type | TLV1-Type | 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 | TLV1-Length | Value... 264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 266 Figure 1 268 Type: 270 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 271 Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. 273 Length: 275 This field indicates the total length in bytes of all fields this 276 attribute, including the Type, Length, Extended-Type, and the 277 embedded TLVs. 279 Extended-Type: 281 TBA2. 283 TLV1-Type: 285 Type field of IP-Port-Type TLV. This one byte field indicates the 286 IP port type as follows: 288 TBA2-1: 290 Refer to TCP port, UDP port, and ICMP identifier as a whole. 292 TBA2-2: 294 Refer to TCP port and UDP port as a whole. 296 TBA2-3: 298 Refer to TCP port only. 300 TBA2-4: 302 Refer to UDP port only. 304 TBA2-5: 306 Refer to ICMP identifier only. 308 TLV1-Length: 310 Length field of IP-Port-Type TLV. This field indicates the total 311 length in bytes of the TLV1, including the field of TLV1-Type, 312 TLV1-Length, and the Value. 314 Value: 316 Value field of IP-Port-Type TLV. This field contains one or more 317 TLVs, refer to Section 3.1.2, Section 3.1.3, Section 3.1.4 for 318 details. 320 The interpretation of this field is determined by the identifier 321 of "TBA1.TBA2.{TBA2-1..TBA2-5} along with the embedded TLVs. 323 3.1.2. IP-Port-Limit Attribute 325 This attribute contains the Extended-Type and IP-Port-Type TLV 326 defined in Section 3.1.1, along with the embedded IP-Port-Limit TLV 327 and IP-Port-Ext-IPv4-Addr TLV, defined in Section 3.2.1 and 328 Section 3.2.2, respectively. It specifies the maximum number of IP 329 ports, as indicated in IP-Port-Limit TLV, of a specific port type, 330 and associated with a given IPv4 address, as indicated in IP-Port- 331 Ext-IPv4-Addr TLV for an end user. Note that when IP-Port-Ext- 332 IPv4-Addr TLV is not included as part of the IP-Port-Limit Attribute, 333 the port limit is applied to all the IPv4 addresses managed by the 334 port device, e.g., a CGN or NAT64 device. 336 The IP-Port-Limit Attribute MAY appear in an Access-Accept packet. 337 It MAY also appear in an Access-Request packet as a hint by the 338 device supporting port ranges, which is co-allocated with the NAS, to 339 the RADIUS server as a preference, although the server is not 340 required to honor such a hint. 342 The IP-Port-Limit Attribute MAY appear in a CoA-Request packet. 344 The IP-Port-Limit Attribute MAY appear in an Accounting-Request 345 packet. 347 The IP-Port-Limit Attribute MUST NOT appear in any other RADIUS 348 packets. 350 The format of the IP-Port-Limit Attribute is shown in Figure 2. The 351 fields are transmitted from left to right. 353 0 1 2 3 354 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 355 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 356 | Type | Length | Extended-Type | TLV1-Type | 357 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 358 | TLV1-Length | Value .... 359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 Figure 2 363 Type: 365 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 366 Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. 368 Length: 370 This field indicates the total length in bytes of all fields of 371 this attribute, including the Type, Length, Extended-Type, and the 372 entire length of the embedded TLVs. 374 Extended-Type: 376 TBA2 - This one byte field contains a value that indicates the IP 377 port type, refer to Section 3.1.1 for detail. 379 TLV1-Type: 381 TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1 382 for detail. 384 TLV1-Length: 386 This field indicates the total length in bytes of the TLV1, 387 including the field of TLV1-Type, TLV1-Length, and the entire 388 length of the embedded TLVs. 390 Value: 392 This field contains a set of TLVs as follows: 394 IP-Port-Limit TLV: 396 This TLV contains the maximum number of IP ports of a specific 397 IP port type and associated with a given IPv4 address for an 398 end user. This TLV must be included in the IP-Port-Limit 399 Attribute. Refer to Section 3.2.1. 401 IP-Port-Ext-IPv4-Addr TLV: 403 This TLV contains the IPv4 address that is associated with the 404 IP port limit contained in the IP-Port-Limit TLV. This TLV is 405 optionally included as part of the IP-Port-Limit Attribute. 406 Refer to Section 3.2.2. 408 IP-Port-Limit attribute is associated with the following identifier: 409 Type(TBA1).Extended-Type(TBA2).IP-Port-Type TLV{TBA2-1..TBA2-5}.[IP- 410 Port-Limit TLV(TBA3), {IP-Port-Ext-IPv4-Addr TLV (TBA4)}]. 412 3.1.3. IP-Port-Range Attribute 414 This attribute contains the Extended-Type and IP-Port-Type TLV 415 defined in Section 3.1.1, along with a set of embedded TLVs defined 416 in Section 3.2.7 (IP-Port-Range-Start TLV), Section 3.2.8 (IP-Port- 417 Range-End TLV), Section 3.2.6 (IP-Port-Alloc TLV), Section 3.2.2 (IP- 418 Port-Ext-IPv4-Addr TLV), and Section 3.2.9 (IP-Port-Local-Id TLV). 419 It contains a range of contiguous IP ports of a specific port type 420 and associated with an IPv4 address that are either allocated or 421 deallocated by a device for a given subscriber, and the information 422 is intended to send to RADIUS server. 424 This attribute can be used to convey a single IP port number; in such 425 case IP-Port-Range-Start and IP-Port-Range-End conveys the same 426 value. 428 Within an IP-Port-Range Attribute, the IP-Port-Alloc TLV is always 429 included. For port allocation, both IP-Port-Range-Start TLV and IP- 430 Port-Range-End TLV must be included; for port deallocation, the 431 inclusion of these two TLVs is optional and if not included, it 432 implies that all ports that are previously allocated are now 433 deallocated. Both IP-Port-Ext-IPv4-Addr TLV and IP-Port-Local-Id TLV 434 are optional and if included, they are used by a port device (e.g., a 435 CGN device) to identify the end user. 437 The IP-Port-Range Attribute MAY appear in an Accounting-Request 438 packet. 440 The IP-Port-Range Attribute MUST NOT appear in any other RADIUS 441 packets. 443 The format of the IP-Port-Range Attribute format is shown in 444 Figure 3. The fields are transmitted from left to right. 446 0 1 2 3 447 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 449 | Type | Length | Extended-Type | TLV1-Type | 450 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 451 | TLV1-Length | Value .... 452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 454 Figure 3 456 Type: 458 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 459 Type-3 (243), or Extended-Type-4 (244) per [RFC6929] 461 Length: 463 This field indicates the total length in bytes of all fields of 464 this attribute, including the Type, Length, Extended-Type, and the 465 entire length of the embedded TLVs. 467 Extended-Type: 469 TBA2 - This one byte field contains a value that indicates the IP 470 port type, refer to Section 3.1.1 for detail. 472 TLV1-Type: 474 TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1 475 for detail. 477 TLV1-Length: 479 This field indicates the total length in bytes of the TLV1, 480 including the field of TLV1-Type, TLV1-Length, and the entire 481 length of the embedded TLVs. 483 Value: 485 This field contains a set of TLVs as follows: 487 IP-Port-Alloc TLV: 489 This TLV contains a flag to indicate that the range of the 490 specified IP ports for either allocation or deallocation. This 491 TLV must be included as part of the IP-Port-Range Attribute. 492 Refer to Section 3.2.6. 494 IP-Port-Range-Start TLV: 496 This TLV contains the smallest port number of a range of 497 contiguous IP ports. To report the port allocation, this TLV 498 must be included together with IP-Port-Range-End TLV as part of 499 the IP-Port-Range Attribute. Refer to Section 3.2.7. 501 IP-Port-Range-End TLV: 503 This TLV contains the largest port number of a range of 504 contiguous IP ports. To report the port allocation, this TLV 505 must be included together with IP-Port-Range-Start TLV as part 506 of the IP-Port-Range Attribute. Refer to Section 3.2.8. 508 IP-Port-Ext-IPv4-Addr TLV: 510 This TLV contains the IPv4 address that is associated with the 511 IP port range, as collectively indicated in the IP-Port-Range- 512 Start TLV and the IP-Port-Range-End TLV. This TLV is 513 optionally included as part of the IP-Port-Range Attribute. 514 Refer to Section 3.2.2. 516 IP-Port-Local-Id TLV: 518 This TLV contains a local session identifier at the customer 519 premise, such as MAC address, interface ID, VLAN ID, PPP 520 sessions ID, VRF ID, IPv6 address/prefix, etc. This TLV is 521 optionally included as part of the IP-Port-Range Attribute. 522 Refer to Section 3.2.9. 524 The IP-Port-Range attribute is associated with the following 525 identifier: Type(TBA1).Extended-Type(TBA2).IP-Port-Type 526 TLV{TBA2-1..TBA2-5}.[IP-Port-Alloc TLV(TBA8), {IP-Port-Range-Start 527 TLV (TBA9), IP-Port-Range-End TLV (TBA10)}, {IP-Port-Ext-IPv4-Addr 528 TLV (TBA4)}, {IP-Port-Local-Id TLV (TBA11)}]. 530 3.1.4. IP-Port-Forwarding-Map Attribute 532 This attribute contains the Extended-Type and IP-Port-Type TLV 533 defined in Section 3.1.1,along with a set of embedded TLVs defined in 534 Section 3.2.4 (IP-Port-Int-Port TLV), Section 3.2.5 (IP-Port-Ext-Port 535 TLV), Section 3.2.3 (IP-Port-Int-IP-Addr TLV), Section 3.2.9(IP-Port- 536 Local-Id TLV) and Section 3.2.2 (IP-Port-Ext-IP-Addr TLV). The 537 attribute contains a 2-byte IP internal port number that is 538 associated with an internal IPv4 or IPv6 address, or a locally 539 significant identifier at the customer site, and a 2-byte IP external 540 port number that is associated with an external IPv4 address. The 541 internal IPv4 or IPv6 address, or the local identifier must be 542 included; the external IPv4 address may also be included. 544 The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept 545 packet. It MAY also appear in an Access-Request packet as a hint by 546 the device supporting port mapping, which is co-allocated with the 547 NAS, to the RADIUS server as a preference, although the server is not 548 required to honor such a hint. 550 The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request 551 packet. 553 The IP-Port-Forwarding-Map Attribute MAY also appear in an 554 Accounting-Request packet. 556 The attribute MUST NOT appear in any other RADIUS packet. 558 The format of the IP-Port-Forwarding-Map Attribute is shown in 559 Figure 4. The fields are transmitted from left to right. 561 0 1 2 3 562 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 563 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 564 | Type | Length | Extended-Type | TLV1-Type | 565 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 566 | TLV1-Length | Value .... 567 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 569 Figure 4 571 Type: 573 TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- 574 Type-3 (243), or Extended-Type-4 (244) per [RFC6929] 576 Length: 578 This field indicates the total length in bytes of all fields of 579 this attribute, including the Type, Length, Extended-Type, and the 580 entire length of the embedded TLVs. 582 Extended-Type: 584 This one byte field contains a value that indicates the IP port 585 type, refer to Section 3.1.1 for details. 587 TLV1-Type: 589 TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1 590 for detail. 592 TLV1-Length: 594 This field indicates the total length in bytes of the TLV1, 595 including the field of TLV1-Type, TLV1-Length, and the entire 596 length of the embedded TLVs. 598 Value: 600 This field contains a set of TLVs as follows: 602 IP-Port-Int-Port TLV: 604 This TLV contains an internal IP port number associated with an 605 internal IPv4 or IPv6 address. This TLV must be included 606 together with IP-Port-Ext-Port TLV as part of the IP-Port- 607 Forwarding-Map attribute. Refer to Section 3.2.4. 609 IP-Port-Ext-Port TLV: 611 This TLV contains an external IP port number associated with an 612 external IPv4 address. This TLV must be included together with 613 IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map 614 attribute. Refer to Section 3.2.5. 616 IP-Port-Int-IP-Addr TLV: 618 This TLV contains an IPv4 or IPv6 address that is associated 619 with the internal IP port number contained in the IP-Port-Int- 620 Port TLV. Either this TLV or IP-Port-Local-Id TLV must be 621 included as part of the IP-Port-Forwarding-Map Attribute. 622 Refer to Section 3.2.3. 624 IP-Port-Local-Id TLV: 626 This TLV contains a local session identifier at the customer 627 premise, such as MAC address, interface ID, VLAN ID, PPP 628 sessions ID, VRF ID, IPv6 address/prefix, etc. Either this TLV 629 or IP-Port-Int-IP-Addr TLV must be included as part of the IP- 630 Port-Forwarding-Map Attribute. Refer to Section 3.2.9. 632 IP-Port-Ext-IPv4-Addr TLV: 634 This TLV contains an IPv4 address that is associated with the 635 external IP port number contained in the IP-Port-Ext-Port TLV. 636 This TLV may be included as part of the IP-Port-Forwarding-Map 637 Attribute. Refer to Section 3.2.2. 639 The IP-Port-Forwarding-Map attribute is associated with the following 640 identifier: Type(TBA1).Extended-Type(TBA2).IP-Port-Type 641 TLV{TBA2-1..TBA2-5}.[IP-Port-Int-Port TLV(TBA6), IP-Port-Ext-Port 642 TLV(TBA7), {IP-Port-Int-IP-Addr TLV (TBA5)}, {IP-Port-Ext-IPv4-Addr 643 TLV (TBA4)}]. 645 3.2. RADIUS TLVs for IP Ports 647 3.2.1. IP-Port-Limit TLV 649 This TLV (Figure 5) uses the format defined in [RFC6929]. Its Value 650 field contains a 2-byte integer called IP-Port-Limit, which indicates 651 the maximum number of ports of a specified IP-Port-Type and 652 associated with a given IPv4 address assigned to a subscriber. 654 IP-Port-Limit TLV is included as part of the IP-Port-Limit Attribute 655 (refer to Section 3.1.2). 657 Note that IP-Port-Limit TLV is embedded within IP-Port-Type TLV 658 (refer to Section 3.1.1) for detail. 660 0 1 2 3 661 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 662 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 663 | TLV2-Type | TLV2-Length | IP-Port-Limit | 664 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 666 Figure 5 668 TLV2-Type: 670 TBA3: The type field for IP-Port-Limit TLV. 672 TLV2-Length: 674 This field indicates the total length in bytes of the TLV2, 675 including the field of TLV2-Type, TLV2-Length, and the Value 676 field, i.e., IP-Port-Limit. 678 IP-Port-Limit: 680 2-byte integer. This field contains the maximum number of IP 681 ports of which, the port type is specified by container IP-Port- 682 Type TLV. 684 3.2.2. IP-Port-Ext-IPv4-Addr TLV 686 This TLV (Figure 6) uses the format defined in[RFC6929]. Its Value 687 field contains a 4-byte External IPv4 address. 689 IP-Port-Ext-IPv4-Addr TLV can be included as part of the IP-Port- 690 Limit Attribute (refer to Section 3.1.2), IP-Port-Range Attribute 691 (refer to Section 3.1.3), and IP-Port-Forwarding-Map Attribute (refer 692 to Section 3.1.4). 694 Note that IP-Port-Ext-IPv4-Addr TLV is embedded within IP-Port-Type 695 TLV (refer to Section 3.1.1) for detail. 697 0 1 2 3 698 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 699 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 700 | TLV3-Type | TLV3-Length | IP-Port-Ext-IPv4-Addr | 701 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 702 | IP-Port-Ext-IPv4-Addr | 703 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 705 Figure 6 707 TLV3-Type: 709 TBA4: The type field for IP-Port-IPv4-Addr TLV. 711 TLV3-Length: 713 6. The Length field for IP-Port-IPv4-Addr TLV. 715 IP-Port-Ext-IPv4-Addr: 717 4-byte integer. This field contains the IPv4 address that is 718 associated with the range of IP ports. 720 3.2.3. IP-Port-Int-IP-Addr TLV 722 This TLV (Figure 7) uses format defined in [RFC6929]. Its Value 723 field contains an internal IPv4 or IPv6 address. 725 IP-Port-Int-IP-Addr TLV can be included as part of the IP-Port- 726 Forwarding-Map Attribute (refer to Section 3.1.4). 728 Note that IP-Port-Int-IP-Addr TLV is embedded within IP-Port-Type TLV 729 (refer to Section 3.1.1) for detail. 731 0 1 2 3 732 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 733 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 734 | TLV4-Type | TLV4-Length | IP-Port-Int-IP-Addr.... 735 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 737 Figure 7 739 TLV4-Type: 741 TBA5: The type field for IP-Port-Int-IP-Addr TLV. 743 TLV4-Length: 745 6 or 18 bytes. The Length field for IP-Port-Int-IP-Addr TLV. 747 IP-Port-Int-IP-Addr: 749 4 byte integer for IPv4 address or 16 byte for IPv6 address. 751 3.2.4. IP-Port-Int-Port TLV 753 This TLV (Figure 8) uses format defined in [RFC6929]. Its Value 754 field contains an internal IP port number that is associated with an 755 internal IPv4 or IPv6 address. 757 IP-Port-Int-Port TLV is included as part of the IP-Port-Forwarding- 758 Map Attribute (refer to Section 3.1.4). 760 IP-Port-Int-Port TLV is embedded within embedded within IP-Port-Type 761 TLV (refer to Section 3.1.1) for detail. 763 0 1 2 3 764 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 765 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 766 | TLV5-Type | TLV5-Length | IP-Port-Int-Port | 767 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 769 Figure 8 771 TLV5-Type: 773 TBA6: The type field for IP-Port-Int-Port TLV. 775 TLV5-Length: 777 4 bytes. The Length field for IP-Port-Int-Port TLV. 779 IP-Port-Int-Port: 781 2 byte integer. The internal IP port number that is associated 782 with an IPv4 or IPv6 address. 784 3.2.5. IP-Port-Ext-Port TLV 786 This TLV (Figure 9) uses format defined in [RFC6929]. Its Value 787 field contains an external IP port number that is associated with an 788 external IPv4 address. 790 IP-Port-Ext-Port TLV is included as part of the IP-Port-Forwarding- 791 Map Attribute (refer to Section 3.1.4). 793 IP-Port-Ext-Port TLV is embedded within IP-Port-Type TLV (refer to 794 Section 3.1.1) for detail. 796 0 1 2 3 797 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 798 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 799 | TLV6-Type | TLV6-Length | IP-Port-Ext-Port | 800 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 802 Figure 9 804 TLV6-Type: 806 TBA7: The type field for IP-Port-Ext-Port TLV. 808 TLV6-Length: 810 4 bytes. The Length field for IP-Port-Ext-Port TLV. 812 IP-Port-Ext-Port: 814 2 byte integer. The external IP port number that is associated 815 with an IPv4 address. 817 3.2.6. IP-Port-Alloc TLV 819 This TLV (Figure 10) uses format defined in [RFC6929]. Its Value 820 field contains a 2-byte integer called IP-Port-Alloc, which indicates 821 either the allocation or deallocation of a range of IP ports. 823 IP-Port-Alloc TLV is included as part of the IP-Port-Range Attribute 824 (refer to Section 3.1.3). 826 Note that IP-Port-Alloc TLV is embedded within IP-Port-Type TLV 827 (refer to Section 3.1.1) for detail. 829 0 1 2 3 830 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 831 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 832 | TLV7-Type | TLV7-Length | IP-Port-Alloc | 833 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 835 Figure 10 837 TLV7-Type: 839 TBA8: The type field for IP-Port-Alloc TLV. 841 TLV7-Length: 843 4. The Length field for IP-Port-Alloc TLV. 845 IP-Port-Alloc: 847 2-byte integer. This field indicates the allocation or 848 deallocation of a range of IP ports as follows: 850 0: 852 Allocation 854 1: 856 Deallocation 858 3.2.7. IP-Port-Range-Start TLV 860 This TLV (Figure 11) uses format defined in [RFC6929]. Its Value 861 field contains a 2-byte integer called IP-Port-Range-Start, which 862 indicates the smallest port number of a range of contiguous IP ports. 864 IP-Port-Range-Start TLV is included as part of the IP-Port-Range 865 Attribute (refer to Section 3.1.3). 867 Note that IP-Port-Range-Start TLV is embedded within IP-Port-Type TLV 868 (refer to Section 3.1.1) for detail. 870 0 1 2 3 871 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 872 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 873 | TLV8-Type | TLV8-Length | IP-Port-Range-Start | 874 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 876 Figure 11 878 TLV8-Type: 880 TBA9: The type field for IP-Port-Range-Start TLV. 882 TLV8-Length: 884 4. The Length field for IP-Port-Range-Start TLV. 886 IP-Port-Range-Start: 888 2-byte integer. This field contains the smallest port number of a 889 range of contiguous IP ports. 891 3.2.8. IP-Port-Range-End TLV 893 This TLV (Figure 12) uses format defined in [RFC6929]. Its Value 894 field contains a 2-byte integer called IP-Port-Range-End, which 895 indicates largest port number of a range of contiguous IP ports. 897 IP-Port-Range-End TLV is included as part of the IP-Port-Range 898 Attribute (refer to Section 3.1.3). 900 Note that IP-Port-Range-End TLV is embedded within IP-Port-Type TLV 901 (refer to Section 3.1.1) for detail. 903 0 1 2 3 904 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 905 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 906 | TLV9-Type | TLV9-Length | IP-Port-Range-End | 907 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 909 Figure 12 911 TLV9-Type: 913 TBA10: The type field for IP-Port-Range-End TLV. 915 TLV9-Length: 917 4. The Length field for IP-Port-Range-End TLV. 919 IP-Port-Range-End: 921 2-byte integer. This field contains the largest port number of a 922 range of contiguous IP ports. 924 3.2.9. IP-Port-Local-Id TLV 926 This TLV (Figure 13) uses format defined in [RFC6929]. Its Value 927 field contains an identifier with local significance. 929 In some CGN deployment scenarios as described such as L2NAT 930 [I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight 931 4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise 932 such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 933 prefix, VRF ID, etc., may also be required to pass to the RADIUS 934 server as part of the accounting record. 936 IP-Port-Local-Id TLV can be included as part of the IP-Port-Range 937 Attribute (refer to Section 3.1.3) and IP-Port-Forwarding-Map 938 Attribute (refer to Section 3.1.4). 940 Note that IP-Port-Local-Id TLV is embedded within IP-Port-Type TLV 941 (refer to Section 3.1.1) for detail. 943 0 1 2 3 944 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 945 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 946 | TLV10-Type | TLV10-Length | IP-Port-Local-Id... 947 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 949 Figure 13 951 TLV10-Type: 953 TBA11: The type field for IP-Port-Local-Id TLV. 955 TLV10-Length: 957 Variable number of bytes. The Length field for IP-Port-Local-Id 958 TLV. 960 IP-Port-Local-Id: 962 This is a local session identifier at the customer premise, such 963 as MAC address, interface ID, VLAN ID, PPP sessions ID, VRF ID, 964 IPv6 address/prefix, etc. The length of this field is the value 965 contained in TLV7-Length field minus 2. 967 4. Applications, Use Cases and Examples 969 This section describes some applications and use cases to illustrate 970 the use of the attributes proposed in this document. 972 4.1. Managing CGN Port Behavior using RADIUS 974 In a broadband network, customer information is usually stored on a 975 RADIUS server, and the BNG hosts the NAS. The communication between 976 the NAS and the RADIUS server is triggered by a subscriber when the 977 user signs in to the Internet service, where either PPP or DHCP/ 978 DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access- 979 Request message to the RADIUS server. The RADIUS server validates 980 the request, and if the validation succeeds, it in turn sends back a 981 RADIUS Access-Accept message. The Access-Accept message carries 982 configuration information specific to that user, back to the NAS, 983 where some of the information would pass on to the requesting user 984 via PPP or DHCP/DHCPv6. 986 A CGN function in a broadband network would most likely reside on a 987 BNG. In that case, parameters for CGN port/identifier mapping 988 behavior for users can be configured on the RADIUS server. When a 989 user signs in to the Internet service, the associated parameters can 990 be conveyed to the NAS, and proper configuration is accomplished on 991 the CGN device for that user. 993 Also, CGN operation status such as CGN port/identifier allocation and 994 de-allocation for a specific user on the BNG can also be transmitted 995 back to the RADIUS server for accounting purpose using the RADIUS 996 protocol. 998 RADIUS protocol has already been widely deployed in broadband 999 networks to manage BNG, thus the functionality described in this 1000 specification introduces little overhead to the existing network 1001 operation. 1003 In the following sub-sections, we describe how to manage CGN behavior 1004 using RADIUS protocol, with required RADIUS extensions proposed in 1005 Section 3. 1007 4.1.1. Configure IP Port Limit for a User 1009 In the face of IPv4 address shortage, there are currently proposals 1010 to multiplex multiple subscribers' connections over a smaller number 1011 of shared IPv4 addresses, such as Carrier Grade NAT [RFC6888], Dual- 1012 Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single 1013 IPv4 public address may be shared by hundreds or even thousands of 1014 subscribers. As indicated in [RFC6269], it is therefore necessary to 1015 impose limits on the total number of ports available to an individual 1016 subscriber to ensure that the shared resource, i.e., the IPv4 address 1017 remains available in some capacity to all the subscribers using it, 1018 and port limiting is also documented in [RFC6888] as a requirement. 1020 The IP port limit imposed to a specific subscriber may be on the 1021 total number of TCP and UDP ports plus the number of ICMP 1022 identifiers, or with other granularities as defined in Section 3.1.2. 1024 The per-subscriber based IP port limit is configured on a RADIUS 1025 server, along with other user information such as credentials. The 1026 value of these IP port limit is based on service agreement and its 1027 specification is out of the scope of this document. 1029 When a subscriber signs in to the Internet service successfully, the 1030 IP port limit for the subscriber is passed to the BNG based NAS, 1031 where CGN also locates, using a new RADIUS attribute called IP-Port- 1032 Limit (defined in Section 3.1.2), along with other configuration 1033 parameters. While some parameters are passed to the subscriber, the 1034 IP port limit is recorded on the CGN device for imposing the usage of 1035 TCP/UDP ports and ICMP identifiers for that subscriber. 1037 Figure 14 illustrates how RADIUS protocol is used to configure the 1038 maximum number of TCP/UDP ports for a given subscriber on a NAT44 1039 device. 1041 User NAT44/NAS AAA 1042 | BNG Server 1043 | | | 1044 | | | 1045 |----Service Request------>| | 1046 | | | 1047 | |-----Access-Request -------->| 1048 | | | 1049 | |<----Access-Accept-----------| 1050 | | (IP-Port-Limit) | 1051 | | (for TCP/UDP ports) | 1052 |<---Service Granted ------| | 1053 | (other parameters) | | 1054 | | | 1055 | (NAT44 external port | 1056 | allocation and | 1057 | IPv4 address assignment) | 1058 | | | 1060 Figure 14: RADIUS Message Flow for Configuring NAT44 Port Limit 1062 The IP port limit created on a CGN device for a specific user using 1063 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 1064 that carries the same RADIUS attribute. The CoA message may be sent 1065 from the RADIUS server directly to the NAS, which once accepts and 1066 sends back a RADIUS CoA ACK message, the new IP port limit replaces 1067 the previous one. 1069 Figure 15 illustrates how RADIUS protocol is used to increase the 1070 TCP/UDP port limit from 1024 to 2048 on a NAT44 device for a specific 1071 user. 1073 User NAT/NAS AAA 1074 | BNG Server 1075 | | | 1076 | TCP/UDP Port Limit (1024) | 1077 | | | 1078 | |<---------CoA Request----------| 1079 | | (IP-Port-Limit) | 1080 | | (for TCP/UDP ports) | 1081 | | | 1082 | TCP/UDP Port Limit (2048) | 1083 | | | 1084 | |---------CoA Response--------->| 1085 | | | 1087 Figure 15: RADIUS Message Flow for changing a user's NAT44 port limit 1089 4.1.2. Report IP Port Allocation/De-allocation 1091 Upon obtaining the IP port limit for a subscriber, the CGN device 1092 needs to allocate a TCP/UDP port or an ICMP identifiers for the 1093 subscriber when receiving a new IP flow sent from that subscriber. 1095 As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP 1096 identifiers once at a time for a specific user, instead of one port/ 1097 identifier at a time, and within each port bulk, the ports/ 1098 identifiers may be randomly distributed or in consecutive fashion. 1099 When a CGN device allocates bulk of TCP/UDP ports and ICMP 1100 identifiers, the information can be easily conveyed to the RADIUS 1101 server by a new RADIUS attribute called the IP-Port-Range (defined in 1102 Section 3.1.3). The CGN device may allocate one or more TCP/UDP port 1103 ranges or ICMP identifier ranges, or generally called IP port ranges, 1104 where each range contains a set of numbers representing TCP/UDP ports 1105 or ICMP identifiers, and the total number of ports/identifiers must 1106 be less or equal to the associated IP port limit imposed for that 1107 subscriber. A CGN device may choose to allocate a small port range, 1108 and allocate more at a later time as needed; such practice is good 1109 because its randomization in nature. 1111 At the same time, the CGN device also needs to decide the shared IPv4 1112 address for that subscriber. The shared IPv4 address and the pre- 1113 allocated IP port range are both passed to the RADIUS server. 1115 When a subscriber initiates an IP flow, the CGN device randomly 1116 selects a TCP/UDP port or ICMP identifier from the associated and 1117 pre-allocated IP port range for that subscriber to replace the 1118 original source TCP/UDP port or ICMP identifier, along with the 1119 replacement of the source IP address by the shared IPv4 address. 1121 A CGN device may decide to "free" a previously assigned set of TCP/ 1122 UDP ports or ICMP identifiers that have been allocated for a specific 1123 subscriber but not currently in use, and with that, the CGN device 1124 must send the information of the de-allocated IP port range along 1125 with the shared IPv4 address to the RADIUS server. 1127 Figure 16 illustrates how RADIUS protocol is used to report a set of 1128 ports allocated and de-allocated, respectively, by a NAT44 device for 1129 a specific user to the RADIUS server. 1131 Host NAT44/NAS AAA 1132 | BNG Server 1133 | | | 1134 | | | 1135 |----Service Request------>| | 1136 | | | 1137 | |-----Access-Request -------->| 1138 | | | 1139 | |<----Access-Accept-----------| 1140 |<---Service Granted ------| | 1141 | (other parameters) | | 1142 ... ... ... 1143 | | | 1144 | | | 1145 | (NAT44 decides to allocate | 1146 | a TCP/UDP port range for the user) | 1147 | | | 1148 | |-----Accounting-Request----->| 1149 | | (IP-Port-Range | 1150 | | for allocation) | 1151 ... ... ... 1152 | | | 1153 | (NAT44 decides to de-allocate | 1154 | a TCP/UDP port range for the user) | 1155 | | | 1156 | |-----Accounting-Request----->| 1157 | | (IP-Port-Range | 1158 | | for de-allocation) | 1159 | | | 1161 Figure 16: RADIUS Message Flow for reporting NAT44 allocation/de- 1162 allocation of a port set 1164 4.1.3. Configure Forwarding Port Mapping 1166 In most scenarios, the port mapping on a NAT device is dynamically 1167 created when the IP packets of an IP connection initiated by a user 1168 arrives. For some applications, the port mapping needs to be pre- 1169 defined allowing IP packets of applications from outside a CGN device 1170 to pass through and "port forwarded" to the correct user located 1171 behind the CGN device. 1173 Port Control Protocol [RFC6887], provides a mechanism to create a 1174 mapping from an external IP address and port to an internal IP 1175 address and port on a CGN device just to achieve the "port 1176 forwarding" purpose. PCP is a server-client protocol capable of 1177 creating or deleting a mapping along with a rich set of features on a 1178 CGN device in dynamic fashion. In some deployment, all users need is 1179 a few, typically just one pre-configured port mapping for 1180 applications such as web cam at home, and the lifetime of such a port 1181 mapping remains valid throughout the duration of the customer's 1182 Internet service connection time. In such an environment, it is 1183 possible to statically configure a port mapping on the RADIUS server 1184 for a user and let the RADIUS protocol to propagate the information 1185 to the associated CGN device. 1187 Figure 17 illustrates how RADIUS protocol is used to configure a 1188 forwarding port mapping on a NAT44 device by using RADIUS protocol. 1190 Host NAT/NAS AAA 1191 | BNG Server 1192 | | | 1193 |----Service Request------>| | 1194 | | | 1195 | |---------Access-Request------->| 1196 | | | 1197 | |<--------Access-Accept---------| 1198 | | (IP-Port-Forwarding-Map) | 1199 |<---Service Granted ------| | 1200 | (other parameters) | | 1201 | | | 1202 | (Create a port mapping | 1203 | for the user, and | 1204 | associate it with the | 1205 | internal IP address | 1206 | and external IP address) | 1207 | | | 1208 | | | 1209 | |------Accounting-Request------>| 1210 | | (IP-Port-Forwarding-Map) | 1212 Figure 17: RADIUS Message Flow for configuring a forwarding port 1213 mapping 1215 A port forwarding mapping that is created on a CGN device using 1216 RADIUS extension as described above may also be changed using RADIUS 1217 CoA message [RFC5176] that carries the same RADIUS associate. The 1218 CoA message may be sent from the RADIUS server directly to the NAS, 1219 which once accepts and sends back a RADIUS CoA ACK message, the new 1220 port forwarding mapping then replaces the previous one. 1222 Figure 18 illustrates how RADIUS protocol is used to change an 1223 existing port mapping from (a:X) to (a:Y), where "a" is an internal 1224 port, and "X" and "Y" are external ports, respectively, for a 1225 specific user with a specific IP address 1227 Host NAT/NAS AAA 1228 | BNG Server 1229 | | | 1230 | Internal IP Address | 1231 | Port Map (a:X) | 1232 | | | 1233 | |<---------CoA Request----------| 1234 | | (IP-Port-Forwarding-Map) | 1235 | | | 1236 | Internal IP Address | 1237 | Port Map (a:Y) | 1238 | | | 1239 | |---------CoA Response--------->| 1240 | | (IP-Port-Forwarding-Map) | 1242 Figure 18: RADIUS Message Flow for changing a user's forwarding port 1243 mapping 1245 4.1.4. An Example 1247 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 1248 subscriber Joe. This number is the limit that can be used for TCP/UDP 1249 ports on a NAT44 device for Joe, and is configured on a RADIUS 1250 server. Also, Joe asks for a pre-defined port forwarding mapping on 1251 the NAT44 device for his web cam applications (external port 5000 1252 maps to internal port 80). 1254 When Joe successfully connects to the Internet service, the RADIUS 1255 server conveys the TCP/UDP port limit (1000) and the forwarding port 1256 mapping (external port 5000 to internal port 80) to the NAT44 device, 1257 using IP-Port-Limit attribute and IP-Port-Forwarding-Map attribute, 1258 respectively, carried by an Access-Accept message to the BNG where 1259 NAS and CGN co-located. 1261 Upon receiving the first outbound IP packet sent from Joe's laptop, 1262 the NAT44 device decides to allocate a small port pool that contains 1263 40 consecutive ports, from 3500 to 3540, inclusively, and also assign 1264 a shared IPv4 address 192.0.2.15, for Joe. The NAT44 device also 1265 randomly selects one port from the allocated range (say 3519) and use 1266 that port to replace the original source port in outbound IP packets. 1268 For accounting purpose, the NAT44 device passes this port range 1269 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 1270 RADIUS server using IP-Port-Range attribute carried by an Accounting- 1271 Request message. 1273 When Joe works on more applications with more outbound IP sessions 1274 and the port pool (3500-3540) is close to exhaust, the NAT44 device 1275 allocates a second port pool (8500-8800) in a similar fashion, and 1276 also passes the new port range (8500-8800) and IPv4 address 1277 192.0.2.15 together to the RADIUS server using IP-Port-Range 1278 attribute carried by an Accounting-Request message. Note when the 1279 CGN allocates more ports, it needs to assure that the total number of 1280 ports allocated for Joe is within the limit. 1282 Joe decides to upgrade his service agreement with more TCP/UDP ports 1283 allowed (up to 1000 ports). The ISP updates the information in Joe's 1284 profile on the RADIUS server, which then sends a CoA-Request message 1285 that carries the IP-Port-Limit attribute with 1000 ports to the NAT44 1286 device; the NAT44 device in turn sends back a CoA-ACK message. With 1287 that, Joe enjoys more available TCP/UDP ports for his applications. 1289 When Joe travels, most of the IP sessions are closed with their 1290 associated TCP/UDP ports released on the NAT44 device, which then 1291 sends the relevant information back to the RADIUS server using IP- 1292 Port-Range attribute carried by Accounting-Request message. 1294 Throughout Joe's connection with his ISP Internet service, 1295 applications can communicate with his web cam at home from external 1296 realm directly traversing the pre-configured mapping on the CGN 1297 device. 1299 When Joe disconnects from his Internet service, the CGN device will 1300 de-allocate all TCP/UDP ports as well as the port-forwarding mapping, 1301 and send the relevant information to the RADIUS server. 1303 4.2. Report Assigned Port Set for a Visiting UE 1305 Figure 19 illustrates an example of the flow exchange which occurs 1306 when a visiting UE connects to a CPE offering WLAN service. 1308 For identification purposes (see [RFC6967]), once the CPE assigns a 1309 port set, it issues a RADIUS message to report the assigned port set. 1311 UE CPE NAS AAA 1312 | BNG Server 1313 | | | 1314 | | | 1315 |----Service Request------>| | 1316 | | | 1317 | |-----Access-Request -------->| 1318 | | | 1319 | |<----Access-Accept-----------| 1320 |<---Service Granted ------| | 1321 | (other parameters) | | 1322 ... | ... ... 1323 |<---IP@----| | | 1324 | | | | 1325 | (CPE assigns a TCP/UDP port | 1326 | range for this visiting UE) | 1327 | | | 1328 | |--Accounting-Request-...------------------->| 1329 | | (IP-Port-Range | 1330 | | for allocation) | 1331 ... | ... ... 1332 | | | | 1333 | | | | 1334 | (CPE withdraws a TCP/UDP port | 1335 | range for a visiting UE) | 1336 | | | 1337 | |--Accounting-Request-...------------------->| 1338 | | (IP-Port-Range | 1339 | | for de-allocation) | 1340 | | | 1342 Figure 19: RADIUS Message Flow for reporting CPE allocation/de- 1343 allocation of a port set to a visiting UE 1345 5. Table of Attributes 1347 This document proposes three new RADIUS attributes and their formats 1348 are as follows: 1350 o IP-Port-Limit: TBA1.TBA2.{TBA2-1..TBA2-5}.[TBA3, {TBA4}] 1352 o IP-Port-Range: TBA1.TBA2.{TBA2-1..TBA2-5}.[TBA8, TBA9, TBA10, 1353 {TBA4}, {TBA11}]. 1355 o IP-Port-Forwarding-Map: TBA1.TBA2.{TBA2-1 .. TBA2-5}.[TBA6, TBA7, 1356 TBA5, {TBA4}] 1358 The following table provides a guide as what type of RADIUS packets 1359 that may contain these attributes, and in what quantity. 1361 Request Accept Reject Challenge Acct. # Attribute 1362 Request 1363 0+ 0+ 0 0 0+ TBA IP-Port-Limit 1364 0 0 0 0 0+ TBA IP-Port-Range 1365 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map 1367 The following table defines the meaning of the above table entries. 1369 0 This attribute MUST NOT be present in packet. 1370 0+ Zero or more instances of this attribute MAY be present in packet. 1372 6. Security Considerations 1374 This document does not introduce any security issue than what has 1375 been identified in [RFC2865]. 1377 7. IANA Considerations 1379 This document requires new code point assignments for the new RADIUS 1380 attributes as follows: 1382 o TBA1 (refer to Section 3.1.1): This value is for the Radius Type 1383 field and should be allocated from the number space of Extended- 1384 Type-1 (241), Extended-Type-2 (242), Extended-Type-3 (243), or 1385 Extended-Type-4 (244) per [RFC6929]. 1387 o TBA2 (refer to Section 3.1.1): This value is for the Extended-Type 1388 field and should be allocated from the Short Extended Space per 1389 [RFC6929]. 1391 o TBA2-1, TBA2-2, TBA2-3, TBA2-4, and TBA2-5 (refer to 1392 Section 3.1.1): These values are for the Type field of IP-Port- 1393 Type TLV that is within the TBA2 container, and they should be 1394 allocated as TLV data type and effectively extend the attribute 1395 tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, TBA2-4, TBA2-5}. 1397 o TBA3 (refer to Section 3.1.2): This value is for the type field of 1398 IP-Port-Limit TLV. It should be allocated as TLV data type and it 1399 extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, 1400 TBA2-4, TBA2-5}.TBA3. 1402 o TBA4 (refer to Section 3.2.2): This value is for the Type field of 1403 IP-Port-Ext-IPv4-Addr TLV. It should be allocated as TLV data 1404 type and it extends the attribute tree as TBA1.TBA2.{TBA2-1, 1405 TBA2-2, TBA2-3, TBA2-4, TBA2-5}.[TBA4...]. 1407 o TBA5 (refer to Section 3.2.3): This value is for the Type field of 1408 IP-Port-Int-IP-Addr TLV. It should be allocated as TLV data type 1409 and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, 1410 TBA2-3, TBA2-4, TBA2-5}.[TBA5...]. 1412 o TBA6 (refer to Section 3.2.4): This value is for the Type field of 1413 IP-Port-Int-Port TLV. It should be allocated as TLV data type and 1414 it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, 1415 TBA2-3, TBA2-4, TBA2-5}.[TBA6...]. 1417 o TBA7 (refer to Section 3.2.5): This value is for the Type field of 1418 IP-Port-Ext-port TLV. It should be allocated as TLV data type and 1419 it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, 1420 TBA2-3, TBA2-4, TBA2-5}.[TBA7...]. 1422 o TBA8 (refer to Section 3.2.6): This value is for the Type field of 1423 IP-Port-Alloc TLV. It should be allocated as TLV data type and it 1424 extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, 1425 TBA2-4, TBA2-5}.[TBA8...]. 1427 o TBA9 (refer to Section 3.2.7): This value is for the Type field of 1428 IP-Port-Range-Start TLV. It should be allocated as TLV data type 1429 and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, 1430 TBA2-3, TBA2-4, TBA2-5}.[TBA9..]. 1432 o TBA10 (refer to Section 3.2.8): This value is for the Type field 1433 of IP-Port-Range-End TLV. It should be allocated as TLV data type 1434 and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, 1435 TBA2-3, TBA2-4, TBA2-5}.[TBA10..]. 1437 o TBA11 (refer to Section 3.2.9): This value is for the Type field 1438 of IP-Port-Local-Id TLV. It should be allocated as TLV data type 1439 and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, 1440 TBA2-3, TBA2-4, TBA2-5}.[TBA11..]. 1442 8. Acknowledgements 1444 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 1445 Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful 1446 comments and suggestions. 1448 9. References 1450 9.1. Normative References 1452 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 1453 E. Lear, "Address Allocation for Private Internets", BCP 1454 5, RFC 1918, February 1996. 1456 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1457 Requirement Levels", BCP 14, RFC 2119, March 1997. 1459 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1460 June 1999. 1462 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1463 "Remote Authentication Dial In User Service (RADIUS)", RFC 1464 2865, June 2000. 1466 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1467 Aboba, "Dynamic Authorization Extensions to Remote 1468 Authentication Dial In User Service (RADIUS)", RFC 5176, 1469 January 2008. 1471 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1472 Service (RADIUS) Protocol Extensions", RFC 6929, April 1473 2013. 1475 9.2. Informative References 1477 [I-D.gundavelli-v6ops-community-wifi-svcs] 1478 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1479 "Service Provider Wi-Fi Services Over Residential 1480 Architectures", draft-gundavelli-v6ops-community-wifi- 1481 svcs-06 (work in progress), April 2013. 1483 [I-D.ietf-softwire-lw4over6] 1484 Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and 1485 I. Farrer, "Lightweight 4over6: An Extension to the DS- 1486 Lite Architecture", draft-ietf-softwire-lw4over6-10 (work 1487 in progress), June 2014. 1489 [I-D.miles-behave-l2nat] 1490 Miles, D. and M. Townsley, "Layer2-Aware NAT", draft- 1491 miles-behave-l2nat-00 (work in progress), March 2009. 1493 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1494 Address Translator (Traditional NAT)", RFC 3022, January 1495 2001. 1497 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1498 NAT64: Network Address and Protocol Translation from IPv6 1499 Clients to IPv4 Servers", RFC 6146, April 2011. 1501 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 1502 Roberts, "Issues with IP Address Sharing", RFC 6269, June 1503 2011. 1505 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1506 Stack Lite Broadband Deployments Following IPv4 1507 Exhaustion", RFC 6333, August 2011. 1509 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 1510 Operation of Address Translators with Per-Interface 1511 Bindings", RFC 6619, June 2012. 1513 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 1514 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 1515 2013. 1517 [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., 1518 and H. Ashida, "Common Requirements for Carrier-Grade NATs 1519 (CGNs)", BCP 127, RFC 6888, April 2013. 1521 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1522 "Analysis of Potential Solutions for Revealing a Host 1523 Identifier (HOST_ID) in Shared Address Deployments", RFC 1524 6967, June 2013. 1526 Authors' Addresses 1528 Dean Cheng 1529 Huawei 1530 2330 Central Expressway 1531 Santa Clara, California 95050 1532 USA 1534 Email: dean.cheng@huawei.com 1536 Jouni Korhonen 1537 Broadcom 1538 Porkkalankatu 24 1539 FIN-00180 Helsinki 1540 Finland 1542 Email: jouni.nospam@gmail.com 1544 Mohamed Boucadair 1545 France Telecom 1546 Rennes 1547 France 1549 Email: mohamed.boucadair@orange.com 1550 Senthil Sivakumar 1551 Cisco Systems 1552 7100-8 Kit Creek Road 1553 Research Triangle Park, North Carolina 1554 USA 1556 Email: ssenthil@cisco.com