idnits 2.17.1 draft-ietf-radext-ip-port-radius-ext-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1504 has weird spacing: '...e-Start see ...' -- The document date (March 9, 2016) is 2969 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: September 10, 2016 Broadcom Corporation 6 M. Boucadair 7 Orange 8 S. Sivakumar 9 Cisco Systems 10 March 9, 2016 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-ietf-radext-ip-port-radius-ext-07 15 Abstract 17 This document defines three new RADIUS attributes. For devices that 18 implementing IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report TCP/UDP ports 20 and ICMP identifiers, as well as mapping behavior for specific hosts. 21 This mechanism can be used in various deployment scenarios such as 22 Carrier Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. 24 Requirements Language 26 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 27 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 28 document are to be interpreted as described in RFC 2119 [RFC2119]. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on September 10, 2016. 47 Copyright Notice 49 Copyright (c) 2016 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 66 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 67 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 68 3.1.1. IP-Port-Limit Attribute . . . . . . . . . . . . . . . 6 69 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 70 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 10 71 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 72 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 13 73 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 14 74 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 75 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 15 76 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 16 77 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 17 78 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 18 79 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 19 80 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 20 81 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 21 82 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22 83 4. Applications, Use Cases and Examples . . . . . . . . . . . . 23 84 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 23 85 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 23 86 4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 25 87 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 27 88 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 29 89 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 30 90 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 31 91 6. Security Considerations . . . . . . . . . . . . . . . . . . . 32 92 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 93 7.1. IANA Considerations on New IPFIX Information Elements . . 32 94 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 33 95 7.3. IANA Considerations on New RADIUS Nested Attributes . . . 33 96 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 97 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 98 9.1. Normative References . . . . . . . . . . . . . . . . . . 34 99 9.2. Informative References . . . . . . . . . . . . . . . . . 35 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 102 1. Introduction 104 In a broadband network, customer information is usually stored on a 105 RADIUS server [RFC2865]. At the time when a user initiates an IP 106 connection request, if this request is authorized, the RADIUS server 107 will populate the user's configuration information to the Network 108 Access Server (NAS), which is often referred to as a Broadband 109 Network Gateway (BNG) in broadband access networks. The Carrier- 110 Grade NAT (CGN) function may also be implemented on the BNG. Within 111 this document, the CGN may perform NAT44 [RFC3022], NAT64 [RFC6146], 112 or Dual-Stack Lite AFTR [RFC6333] function. In such case, the CGN 113 TCP/UDP port (or ICMP identifier) mapping(s) behavior(s) can be part 114 of the configuration information sent from the RADIUS server to the 115 NAS/BNG. The NAS/BNG may also report to the RADIUS Server the port/ 116 identifier mapping behavior applied by the CGN to a user session to 117 the RADIUS server, as part of the accounting information sent from 118 the NAS/BNG to a RADIUS server. 120 When IP packets traverse the CGN, it performs TCP/UDP source port 121 mapping or ICMP identifier mapping as required. A TCP/ UDP source 122 port or ICMP identifier, along with source IP address, destination IP 123 address, destination port and protocol identifier if applicable, 124 uniquely identify a session. Since the number space of TCP/UDP ports 125 and ICMP identifiers in CGN's external realm is shared among multiple 126 users assigned with the same IPv4 address, the total number of a 127 user's simultaneous IP sessions is likely to be subject to port quota 128 (see Section 5 of [RFC6269]). 130 The attributes defined in this document may also be used to report 131 the assigned port range in some deployments such as Provider WLAN 132 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 133 host can be managed by a CPE (Customer Premises Equipment ) which 134 will need to report the assigned port range to the service platform. 135 This is required for identification purposes (see TR-146 [TR-146] for 136 more details). 138 This document proposes three new attributes as RADIUS protocol's 139 extensions, and they are used for separate purposes as follows: 141 1. IP-Port-Limit: This attribute may be carried in RADIUS Access- 142 Accept, Access-Request, Accounting-Request or CoA-Request packet. 144 The purpose of this attribute is to limit the total number of 145 TCP/UDP ports and/or ICMP identifiers allocated to a user, 146 associated with one or more IPv4 addresses. 148 2. IP-Port-Range: This attribute may be carried in RADIUS 149 Accounting-Request packet. The purpose of this attribute is to 150 report by an address sharing device (e.g., a CGN) to the RADIUS 151 server the range of TCP/UDP ports and/or ICMP identifiers that 152 have been allocated or deallocated associated with a given IPv4 153 address for a user. 155 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 156 Access-Accept, Access-Request, Accounting-Request or CoA-Request 157 packet. The purpose of this attribute is to specify how an IPv4 158 address and a TCP/ UDP port (or an ICMP identifier) is mapped to 159 another IPv4 address and a TCP/UDP port (or an ICMP identifier). 161 IPFIX Information Elements [RFC7012] can be used for IP flow 162 identification and representation over RADIUS. This document 163 provides a mapping between RADIUS TLV and IPFIX Information Element 164 Identifiers. As a consequence, new IPFIX Information Elements are 165 defined by this document (see Section 3). 167 2. Terminology 169 This document makes use of the following terms: 171 o IP Port: refers to the port numbers of IP transport protocols, 172 including TCP port, UDP port and ICMP identifier. 174 o IP Port Type: refers to one of the following: (1) TCP/UDP port and 175 ICMP identifier, (2) TCP port and UDP port, (3) TCP port, (4) UDP 176 port, or (5) ICMP identifier. 178 o IP Port Limit: denotes the maximum number of IP ports for a 179 specific IP port type, that a device supporting port ranges can 180 use when performing port number mapping for a specific user. 181 Note, this limit is usually associated with one or more IPv4 182 addresses. 184 o IP Port Range: specifies a set of contiguous IP ports, indicated 185 by the lowest numerical number and the highest numerical number, 186 inclusively. 188 o Internal IP Address: refers to the IP address that is used as a 189 source IP address in an outbound IP packet sent towards a device 190 supporting port ranges in the internal realm. 192 o External IP Address: refers to the IP address that is used as a 193 source IP address in an outbound IP packet after traversing a 194 device supporting port ranges in the external realm. 196 o Internal Port: is a UDP or TCP port, or an ICMP identifier, which 197 is allocated by a host or application behind a device supporting 198 port ranges for an outbound IP packet in the internal realm. 200 o External Port: is a UDP or TCP port, or an ICMP identifier, which 201 is allocated by a device supporting port ranges upon receiving an 202 outbound IP packet in the internal realm, and is used to replace 203 the internal port that is allocated by a user or application. 205 o External realm: refers to the networking segment where external IP 206 addresses are used in respective of the device supporting port 207 ranges. 209 o Internal realm: refers to the networking segment that is behind a 210 device supporting port ranges and where internal IP addresses are 211 used. 213 o Mapping: associates with a device supporting port ranges for a 214 relationship between an internal IP address, internal port and the 215 protocol, and an external IP address, external port, and the 216 protocol. 218 o Port-based device: a device that is capable of providing IP 219 address and IP port mapping services and in particular, with the 220 granularity of one or more subsets within the 16-bit IP port 221 number range. A typical example of this device is a CGN, CPE, 222 Provider WLAN Gateway, etc. 224 Note that the definitions of "internal IP address", "internal port", 225 "internal realm", "external IP address", "external port", "external 226 realm", and "mapping" are the same as defined in Port Control 227 Protocol (PCP) [RFC6887], and the Common Requirements for Carrier- 228 Grade NATs (CGNs) [RFC6888]. 230 3. Extensions of RADIUS Attributes and TLVs 232 These three new attributes are defined in the following sub-sections: 234 1. IP-Port-Limit Attribute 236 2. IP-Port-Range Attribute 238 3. IP-Port-Forwarding-Map Attribute 239 All these attributes are allocated from the RADIUS "Extended Type" 240 code space per [RFC6929]. 242 In all the figures describing the RADIUS attributes and TLV formats 243 in the following sub-sections, the fields are transmitted from left 244 to right. 246 3.1. Extended Attributes for IP Ports 248 3.1.1. IP-Port-Limit Attribute 250 This attribute is of type "TLV" as defined in the RADIUS Protocol 251 Extensions [RFC6929]. It contains the following sub-attributes: 253 o an IP-Port-Type TLV (see Section 3.2.1), 255 o an IP-Port-Limit TLV (see Section 3.2.2), 257 o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). 259 It specifies the maximum number of IP ports as indicated in IP-Port- 260 Limit TLV, of a specific port type as indicated in IP-Port-Type TLV, 261 and associated with a given IPv4 address as indicated in IP-Port-Ext- 262 IPv4-Addr TLV for an end user. 264 Note that when IP-Port-Ext-IPv4-Addr TLV is not included as part of 265 the IP-Port-Limit Attribute, the port limit applies to all the IPv4 266 addresses managed by the port device, e.g., a CGN or NAT64 device. 268 The IP-Port-Limit Attribute MAY appear in an Access-Accept packet. 269 It MAY also appear in an Access-Request packet as a preferred maximum 270 number of IP ports indicated by the device supporting port ranges co- 271 located with the NAS e.g. a CGN or NAT64. However, the RADIUS server 272 is not required to honor such a preference. 274 The IP-Port-Limit Attribute MAY appear in a CoA-Request packet. 276 The IP-Port-Limit Attribute MAY appear in an Accounting-Request 277 packet. 279 The IP-Port-Limit Attribute MUST NOT appear in any other RADIUS 280 packet. 282 The format of the IP-Port-Limit Attribute is shown in Figure 1. 284 0 1 2 3 285 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 286 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 287 | Type | Length | Extended-Type | Value ... 288 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 290 Figure 1 292 Type: 294 241 (To be confirmed by IANA). 296 Length: 298 This field indicates the total length in bytes of all fields of 299 this attribute, including the Type, Length, Extended-Type, and the 300 entire length of the embedded TLVs. 302 Extended-Type: 304 TBA2. 306 Value: 308 This field contains a set of TLVs as follows: 310 IP-Port-Type TLV: 312 This TLV contains a value that indicates the IP port type. 313 Refer to Section 3.2.1. 315 IP-Port-Limit TLV: 317 This TLV contains the maximum number of IP ports of a specific 318 IP port type and associated with a given IPv4 address for an 319 end user. This TLV must be included in the IP-Port-Limit 320 Attribute. Refer to Section 3.2.2. 322 IP-Port-Ext-IPv4-Addr TLV: 324 This TLV contains the IPv4 address that is associated with the 325 IP port limit contained in the IP-Port-Limit TLV. This TLV is 326 optionally included as part of the IP-Port-Limit Attribute. 327 Refer to Section 3.2.3. 329 IP-Port-Limit attribute is associated with the following identifier: 330 241.Extended-Type(TBA2). 332 3.1.2. IP-Port-Range Attribute 334 This attribute is of type "TLV" as defined in the RADIUS Protocol 335 Extensions [RFC6929]. It contains the following sub-attributes: 337 o an IP-Port-Type TLV (see Section 3.2.1), 339 o an IP-Port-Range-Start TLV (see Section 3.2.9), 341 o an IP-Port-Range-End TLV (see Section 3.2.10), 343 o an IP-Port-Alloc TLV (see Section 3.2.8), 345 o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3), 347 o an optional IP-Port-Local-Id TLV (see Section 3.2.11). 349 This attribute contains a range of contiguous IP ports of a specific 350 port type and associated with an IPv4 address that are either 351 allocated or deallocated by a device for a given user, and the 352 information is intended to be sent to RADIUS server. 354 This attribute can be used to convey a single IP port number; in such 355 case IP-Port-Range-Start and IP-Port-Range-End conveys the same 356 value. 358 Within an IP-Port-Range Attribute, the IP-Port-Alloc TLV is always 359 included. For port allocation, both IP-Port-Range-Start TLV and IP- 360 Port-Range-End TLV must be included; for port deallocation, the 361 inclusion of these two TLVs is optional and if not included, it 362 implies that all ports that are previously allocated are now 363 deallocated. Both IP-Port-Ext-IPv4-Addr TLV and IP-Port-Local-Id TLV 364 are optional and if included, they are used by a port device (e.g., a 365 CGN device) to identify the end user. 367 The IP-Port-Range Attribute MAY appear in an Accounting-Request 368 packet. 370 The IP-Port-Range Attribute MUST NOT appear in any other RADIUS 371 packet. 373 The format of the IP-Port-Range Attribute format is shown in 374 Figure 2. The fields are transmitted from left to right. 376 0 1 2 3 377 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 378 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 379 | Type | Length | Extended-Type | Value ... 380 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 382 Figure 2 384 Type: 386 241 (To be confirmed by IANA). 388 Length: 390 This field indicates the total length in bytes of all fields of 391 this attribute, including the Type, Length, Extended-Type, and the 392 entire length of the embedded TLVs. 394 Extended-Type: 396 TBA3. 398 Value: 400 This field contains a set of TLVs as follows: 402 IP-Port-Type TLV: 404 This TLV contains a value that indicates the IP port type. 405 Refer to Section 3.2.1. 407 IP-Port-Alloc TLV: 409 This TLV contains a flag to indicate that the range of the 410 specified IP ports for either allocation or deallocation. This 411 TLV must be included as part of the IP-Port-Range Attribute. 412 Refer to Section 3.2.8. 414 IP-Port-Range-Start TLV: 416 This TLV contains the smallest port number of a range of 417 contiguous IP ports. To report the port allocation, this TLV 418 must be included together with IP-Port-Range-End TLV as part of 419 the IP-Port-Range Attribute. Refer to Section 3.2.9. 421 IP-Port-Range-End TLV: 423 This TLV contains the largest port number of a range of 424 contiguous IP ports. To report the port allocation, this TLV 425 must be included together with IP-Port-Range-Start TLV as part 426 of the IP-Port-Range Attribute. Refer to Section 3.2.10. 428 IP-Port-Ext-IPv4-Addr TLV: 430 This TLV contains the IPv4 address that is associated with the 431 IP port range, as collectively indicated in the IP-Port-Range- 432 Start TLV and the IP-Port-Range-End TLV. This TLV is 433 optionally included as part of the IP-Port-Range Attribute. 434 Refer to Section 3.2.3. 436 IP-Port-Local-Id TLV: 438 This TLV contains a local session identifier at the customer 439 premise, such as MAC address, interface ID, VLAN ID, PPP 440 sessions ID, VRF ID, IPv6 address/prefix, etc. This TLV is 441 optionally included as part of the IP-Port-Range Attribute. 442 Refer to Section 3.2.11. 444 The IP-Port-Range attribute is associated with the following 445 identifier: 241.Extended-Type(TBA3). 447 3.1.3. IP-Port-Forwarding-Map Attribute 449 This attribute is of type "TLV" as defined in the RADIUS Protocol 450 Extensions [RFC6929]. It contains the following sub-attributes: 452 o an IP-Port-Type TLV (see Section 3.2.1), 454 o an IP-Port-Int-Port TLV (see Section 3.2.6), 456 o an IP-Port-Ext-Port TLV (see Section 3.2.7), 458 o either an IP-Port-Int-IPv4-Addr TLV (see Section 3.2.4) or an IP- 459 Port-Local-Id TLV (see Section 3.2.11), 461 o either an IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5) or an IP- 462 Port-Local-Id TLV (see Section 3.2.11), 464 o an IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). 466 The attribute contains a 2-byte IP internal port number that is 467 associated with an internal IPv4 or IPv6 address, or a locally 468 significant identifier at the customer site, and a 2-byte IP external 469 port number that is associated with an external IPv4 address. The 470 internal IPv4 or IPv6 address, or the local identifier must be 471 included; the external IPv4 address may also be included. 473 The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept 474 packet. It MAY also appear in an Access-Request packet to indicate a 475 preferred port mapping by the device co-located with NAS. However 476 the server is not required to honor such a preference. 478 The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request 479 packet. 481 The IP-Port-Forwarding-Map Attribute MAY also appear in an 482 Accounting-Request packet. 484 The IP-Port-Forwarding-Map Attribute MUST NOT appear in any other 485 RADIUS packet. 487 The format of the IP-Port-Forwarding-Map Attribute is shown in 488 Figure 3. 490 0 1 2 3 491 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 492 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 493 | Type | Length | Extended-Type | Value .... 494 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 496 Figure 3 498 Type: 500 241 (To be confirmed by IANA). 502 Length: 504 This field indicates the total length in bytes of all fields of 505 this attribute, including the Type, Length, Extended-Type, and the 506 entire length of the embedded TLVs. 508 Extended-Type: 510 TBA4. 512 Value: 514 This field contains a set of TLVs as follows: 516 IP-Port-Type TLV: 518 This TLV contains a value that indicates the IP port type. 519 Refer to Section 3.2.1. 521 IP-Port-Int-Port TLV: 523 This TLV contains an internal IP port number associated with an 524 internal IPv4 or IPv6 address. This TLV must be included 525 together with IP-Port-Ext-Port TLV as part of the IP-Port- 526 Forwarding-Map attribute. Refer to Section 3.2.6. 528 IP-Port-Ext-Port TLV: 530 This TLV contains an external IP port number associated with an 531 external IPv4 address. This TLV must be included together with 532 IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map 533 attribute. Refer to Section 3.2.7. 535 IP-Port-Int-IPv4-Addr TLV: 537 This TLV contains an IPv4 address that is associated with the 538 internal IP port number contained in the IP-Port-Int-Port TLV. 539 For IPv4 network, either this TLV or IP-Port-Local-Id TLV must 540 be included as part of the IP-Port-Forwarding-Map Attribute. 541 Refer to Section 3.2.4. 543 IP-Port-Int-IPv6-Addr TLV: 545 This TLV contains an IPv4 address that is associated with the 546 internal IP port number contained in the IP-Port-Int-Port TLV. 547 For IPv6 network, either this TLV or IP-Port-Local-Id TLV must 548 be included as part of the IP-Port-Forwarding-Map Attribute. 549 Refer to Section 3.2.5. 551 IP-Port-Local-Id TLV: 553 This TLV contains a local session identifier at the customer 554 premise, such as MAC address, interface ID, VLAN ID, PPP 555 sessions ID, VRF ID, IPv6 address/prefix, etc. Either this TLV 556 or IP-Port-Int-IP-Addr TLV must be included as part of the IP- 557 Port-Forwarding-Map Attribute. Refer to Section 3.2.11. 559 IP-Port-Ext-IPv4-Addr TLV: 561 This TLV contains an IPv4 address that is associated with the 562 external IP port number contained in the IP-Port-Ext-Port TLV. 563 This TLV may be included as part of the IP-Port-Forwarding-Map 564 Attribute. Refer to Section 3.2.3. 566 The IP-Port-Forwarding-Map attribute is associated with the following 567 identifier: 241.Extended-Type(TBA4). 569 3.2. RADIUS TLVs for IP Ports 571 3.2.1. IP-Port-Type TLV 573 This TLV (Figure 4) uses the format defined in [RFC6929]. Its "Type" 574 field contains a value that uniquely refers to IPFIX Information 575 Element "transportType" (TBAx1), and its "Value" field contains the 576 values defined for the IPFIX Information Element "transportType", 577 which indicates the type of IP transport as follows: 579 1: 581 Refer to TCP port, UDP port, and ICMP identifier as a whole. 583 2: 585 Refer to TCP port and UDP port as a whole. 587 3: 589 Refer to TCP port only. 591 4: 593 Refer to UDP port only. 595 5: 597 Refer to ICMP identifier only. 599 IP-Port-Type TLV is included as part of the IP-Port-Limit Attribute 600 (refer to Section 3.1.1), IP-Port-Range Attribute (refer to 601 Section 3.1.2), and IP-Port-Forwarding-Map Attribute (refer to 602 Section 3.1.3). 604 0 1 2 3 605 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 606 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 607 | Type | Length | transportType 608 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 609 transportType | 610 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 612 Figure 4 614 Type: 616 The value depends on the encapsulating attribute (see IANA 617 Section). This MUST uniquely refer to the IPFIX Information 618 Element identifier TBAx1. 620 Length: 622 6. 624 transportType: 626 Integer. This field contains the data (unsigned8) of 627 transportType (TBAx1) defined in IPFIX, right justified, and the 628 unused bits in this field MUST be set to zero. 630 3.2.2. IP-Port-Limit TLV 632 This TLV (Figure 5) uses the format defined in [RFC6929]. Its "Type" 633 field contains a value that uniquely refers to IPFIX Information 634 Element natTransportLimit (TBAx2), and its "Value" field contains 635 IPFIX Information Element natTransportLimit, which indicates the 636 maximum number of ports for a given IPv4 address assigned to a user 637 for a specified IP-Port-Type. 639 IP-Port-Limit TLV is included as part of the IP-Port-Limit Attribute 640 (refer to Section 3.1.1). 642 0 1 2 3 643 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 644 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 645 | Type | Length | natTransportLimit 646 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 647 natTransportLimit | 648 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 650 Figure 5 652 Type: 654 TBD2.2. It MUST uniquely refer to the IPFIX Information Element 655 identifier TBAx2. 657 Length: 659 6. 661 natTransportLimit: 663 Integer. This field contains the data (unsigned16) of 664 natTransportLimit (TBAx2) defined in IPFIX, right justified, and 665 the unused bits in this field MUST be set to zero. 667 3.2.3. IP-Port-Ext-IPv4-Addr TLV 669 This TLV (Figure 6) uses the format defined in[RFC6929]. Its "Type" 670 field contains a value that uniquely refers to IPFIX Information 671 Element postNATSourceIPv4Address(225), and its "Value" field contains 672 IPFIX Information Element postNATSourceIPv4Address, which is the IPv4 673 source address after NAT operation (refer to [IPFIX]). 675 IP-Port-Ext-IPv4-Addr TLV MAY be included as part of the IP-Port- 676 Limit Attribute (refer to Section 3.1.1), IP-Port-Range Attribute 677 (refer to Section 3.1.2), and IP-Port-Forwarding-Map Attribute (refer 678 to Section 3.1.3). 680 0 1 2 3 681 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 682 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 683 | Type | Length | postNATSourceIPv4Address 684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 685 postNATSourceIPv4Address | 686 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 688 Figure 6 690 Type: 692 The value depends on the encapsulating attribute (see IANA 693 section). This MUST uniquely refer to the IPFIX Information 694 Element identifier 225. 696 Length: 698 6 700 postNATSourceIPv4Address: 702 Integer. This field contains the data (ipv4Address) of 703 postNATSourceIPv4Address (225) defined in IPFIX. 705 3.2.4. IP-Port-Int-IPv4-Addr TLV 707 This TLV (Figure 7) uses format defined in [RFC6929]. Its "Type" 708 field contains a value that uniquely refers to IPFIX Information 709 Element sourceIPv4Address (8), and its "Value" field contains IPFIX 710 Information Element sourceIPv4Address, which is the IPv4 source 711 address before NAT operation (refer to [IPFIX]). 713 IP-Port-Int-IPv4-Addr TLV MAY be included as part of the IP-Port- 714 Forwarding-Map Attribute (refer to Section 3.1.3). 716 0 1 2 3 717 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 718 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 719 | Type | Length | sourceIPv4Address 720 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 721 sourceIPv4Address | 722 +-+--+-+-+-+-+-+-++-+-+-+-+-+-+-+ 724 Figure 7 726 Type: 728 TBD4.3. It MUST uniquely refer to the IPFIX Information Element 729 identifier 8. 731 Length: 733 6. 735 sourceIPv4Address: 737 Integer. This field contains the data (ipv4Address) of 738 sourceIPv4Address (8) defined in IPFIX. 740 3.2.5. IP-Port-Int-IPv6-Addr TLV 742 This TLV (Figure 8) uses format defined in [RFC6929]. Its "Type" 743 field contains a value that uniquely refers to IPFIX Information 744 Element sourceIPv6Address(27), and its "Value" field contains IPFIX 745 Information Element sourceIPv6Address, which is the IPv6 source 746 address before NAT operation (refer to [IPFIX]). 748 IP-Port-Int-IPv6-Addr TLV MAY be included as part of the IP-Port- 749 Forwarding-Map Attribute (refer to Section 3.1.3). 751 0 1 2 3 752 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 753 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 754 | Type | Length | sourceIPv6Address 755 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 756 sourceIPv6Address 757 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 758 sourceIPv6Address 759 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 760 sourceIPv6Address 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 762 sourceIPv6Address | 763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 765 Figure 8 767 Type: 769 TBD4.4. It MUST uniquely refer to the IPFIX Information Element 770 identifier 27. 772 Length: 774 18. 776 sourceIPv6Address: 778 IPv6 address (128 bits). This field contains the data 779 (ipv6Address) of sourceIPv6Address (27) defined in IPFIX. 781 3.2.6. IP-Port-Int-Port TLV 783 This TLV (Figure 9) uses format defined in [RFC6929]. Its "Type" 784 field contains a value that uniquely refers to IPFIX Information 785 Element sourceTransportPort (7), and its "Value" field contains IPFIX 786 Information Element sourceTransportPort, which is the source 787 transport number associated with an internal IPv4 or IPv6 address 788 (refer to [IPFIX]). 790 IP-Port-Int-Port TLV is included as part of the IP-Port-Forwarding- 791 Map Attribute (refer to Section 3.1.3). 793 0 1 2 3 794 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 795 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 796 | Type | Length | sourceTransportPort 797 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 798 sourceTransportPort | 799 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 801 Figure 9 803 Type: 805 TBD4.5. It MUST uniquely refer to the IPFIX Information Element 806 identifier 7. 808 Length: 810 4. 812 sourceTransportPort: 814 Integer. This field contains the data (unsigned16) of 815 sourceTrasnportPort (7) defined in IPFIX, right justified, and 816 unused bits MUST be set to zero. 818 3.2.7. IP-Port-Ext-Port TLV 820 This TLV (Figure 10) uses format defined in [RFC6929]. Its "Type" 821 field contains a value that uniquely refers to IPFIX Information 822 Element postNAPTSourceTransportPort (227), and its "Value" field 823 contains IPFIX Information Element postNAPTSourceTransportPort, which 824 is the transport number associated with an external IPv4 825 address(refer to [IPFIX]). 827 IP-Port-Ext-Port TLV is included as part of the IP-Port-Forwarding- 828 Map Attribute (refer to Section 3.1.3). 830 0 1 2 3 831 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 832 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 833 | Type | Length | postNAPTSourceTransportPort 834 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 835 postNAPTSourceTransportPort | 836 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 838 Figure 10 840 Type: 842 TBD4.6. It MUST uniquely refer to the IPFIX Information Element 843 identifier 227 . 845 Length: 847 6. 849 postNAPTSourceTransportPort: 851 Integer. This field contains the data (unsigned16) of 852 postNAPTSourceTrasnportPort (227) defined in IPFIX, right 853 justified, and unused bits must be set to zero. 855 3.2.8. IP-Port-Alloc TLV 857 This TLV (Figure 11) uses format defined in [RFC6929]. Its "Type" 858 field contains a value that uniquely refers to IPFIX Information 859 Element natEvent (230), and its "Value" field contains IPFIX 860 Information Element "natEvent", which is a flag to indicate an action 861 of NAT operation (refer to [IPFIX]). 863 When the value of natEvent is "1" (Create event), it means to 864 allocate a range of transport ports; when the value is "2", it means 865 to de-allocate a range of transports ports. For the purpose of this 866 TLV, no other value is used. 868 IP-Port-Alloc TLV is included as part of the IP-Port-Range Attribute 869 (refer to Section 3.1.2). 871 0 1 2 3 872 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 873 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 874 | Type | Length | natEvent 875 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 876 natEvent | 877 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 879 Figure 11 881 Type: 883 TBD3.3. It MUST uniquely refer to the IPFIX Information Element 884 identifier 230 . 886 Length: 888 3. 890 natEvent: 892 Integer. This field contains the data (unsigned8) of natEvent 893 (230) defined in IPFIX, right justified, and unused bits must be 894 set to zero. It indicates the allocation or deallocation of a 895 range of IP ports as follows: 897 1: 899 Allocation 901 2: 903 Deallocation 905 Reserved: 907 0. 909 3.2.9. IP-Port-Range-Start TLV 911 This TLV (Figure 12) uses format defined in [RFC6929]. Its "Type" 912 field contains a value that uniquely refers to IPFIX Information 913 Element portRangeStart (361), and its "Value" field contains IPFIX 914 Information Element portRangeStart, which is the smallest port number 915 of a range of contiguous transport ports (refer to [IPFIX]). 917 IP-Port-Range-Start TLV is included as part of the IP-Port-Range 918 Attribute (refer to Section 3.1.2). 920 0 1 2 3 921 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 922 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 923 | Type | Length | portRangeStart 924 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 925 portRangeStart | 926 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 928 Figure 12 930 Type: 932 TBD3.4. It MUST uniquely refer to the IPFIX Information Element 933 identifier 361. 935 TLV8-Length: 937 4. 939 portRangeStart: 941 Integer. This field contains the data (unsigned16) of (361) 942 defined in IPFIX, right justified, and unused bits must be set to 943 zero. 945 3.2.10. IP-Port-Range-End TLV 947 This TLV (Figure 13) uses format defined in [RFC6929]. Its "Type" 948 field contains a value that uniquely refers to IPFIX Information 949 Element portRangeEnd (362), and its "Value" field contains IPFIX 950 Information Element portRangeEnd, which is the largest port number of 951 a range of contiguous transport ports (refer to [IPFIX]). 953 IP-Port-Range-End TLV is included as part of the IP-Port-Range 954 Attribute (refer to Section 3.1.2). 956 0 1 2 3 957 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 958 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 959 | Type | Length | portRangeEnd 960 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 961 portRangeEnd | 962 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 964 Figure 13 966 Type: 968 TBD3.5. It MUST uniquely refer to the IPFIX Information Element 969 identifier 362. 971 Length: 973 4. The Length field for IP-Port-Range-End TLV. 975 portRangeEnd: 977 Integer. This field contains the data (unsigned16) of (362) 978 defined in IPFIX, right justified, and unused bits must be set to 979 zero. 981 3.2.11. IP-Port-Local-Id TLV 983 This TLV (Figure 14) uses format defined in [RFC6929]. Its "Type" 984 field contains a value that uniquely refers to the IPFIX Information 985 Element localID (TBAx3), and its "Value" field contains IPFIX 986 Information Element localID, which is a local significant identifier 987 as explained below. 989 In some CGN deployment scenarios such as DS-Extra-Lite [RFC6619] and 990 Lightweight 4over6 [RFC7596], parameters at a customer premise such 991 as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 prefix, 992 VRF ID, etc., may also be required to pass to the RADIUS server as 993 part of the accounting record. 995 IP-Port-Local-Id TLV MAY be included as part of the IP-Port-Range 996 Attribute (refer to Section 3.1.2) and IP-Port-Forwarding-Map 997 Attribute (refer to Section 3.1.3). 999 0 1 2 3 1000 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1001 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1002 | Type | Length | localID .... 1003 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1005 Figure 14 1007 Type: 1009 The value depends on the encapsulating attribute (see IANA 1010 section). This MUST uniquely refer to the IPFIX Information 1011 Element identifier TBAx3. 1013 Length: 1015 Variable number of bytes. 1017 localID: 1019 string. This field contains the data (string) of (TBAx3) defined 1020 in IPFIX. This is a local session identifier at the customer 1021 premise, such as MAC address, interface ID, VLAN ID, PPP sessions 1022 ID, VRF ID, IPv6 address/prefix, etc. 1024 4. Applications, Use Cases and Examples 1026 This section describes some applications and use cases to illustrate 1027 the use of the attributes proposed in this document. 1029 4.1. Managing CGN Port Behavior using RADIUS 1031 In a broadband network, customer information is usually stored on a 1032 RADIUS server, and the BNG acts as a NAS. The communication between 1033 the NAS and the RADIUS server is triggered by a user when it signs in 1034 to the Internet service, where either PPP or DHCP/DHCPv6 is used. 1035 When a user signs in, the NAS sends a RADIUS Access-Request message 1036 to the RADIUS server. The RADIUS server validates the request, and 1037 if the validation succeeds, it in turn sends back a RADIUS Access- 1038 Accept message. The Access-Accept message carries configuration 1039 information specific to that user, back to the NAS, where some of the 1040 information would pass on to the requesting user via PPP or DHCP/ 1041 DHCPv6. 1043 A CGN function in a broadband network would most likely co-located on 1044 a BNG. In that case, parameters for CGN port/identifier mapping 1045 behavior for users can be configured on the RADIUS server. When a 1046 user signs in to the Internet service, the associated parameters can 1047 be conveyed to the NAS, and proper configuration is accomplished on 1048 the CGN device for that user. 1050 Also, CGN operation status such as CGN port/identifier allocation and 1051 de-allocation for a specific user on the BNG can also be transmitted 1052 back to the RADIUS server for accounting purpose using the RADIUS 1053 protocol. 1055 RADIUS protocol has already been widely deployed in broadband 1056 networks to manage BNG, thus the functionality described in this 1057 specification introduces little overhead to the existing network 1058 operation. 1060 In the following sub-sections, we describe how to manage CGN behavior 1061 using RADIUS protocol, with required RADIUS extensions proposed in 1062 Section 3. 1064 4.1.1. Configure IP Port Limit for a User 1066 In the face of IPv4 address shortage, there are currently proposals 1067 to multiplex multiple users' connections over a smaller number of 1068 shared IPv4 addresses, such as Carrier Grade NAT [RFC6888], Dual- 1069 Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single 1070 IPv4 public address may be shared by hundreds or even thousands of 1071 users. As indicated in [RFC6269], it is therefore necessary to 1072 impose limits on the total number of ports available to an individual 1073 user to ensure that the shared resource, i.e., the IPv4 address, 1074 remains available in some capacity to all the users using it. The 1075 support of IP port limit is also documented in [RFC6888] as a 1076 requirement for CGN. 1078 The IP port limit imposed to a specific user may be on the total 1079 number of TCP and UDP ports plus the number of ICMP identifiers, or 1080 with other granularities as defined in Section 3.1.1. 1082 The per-user based IP port limit is configured on a RADIUS server, 1083 along with other user information such as credentials. The value of 1084 this IP port limit is based on service agreement and its 1085 specification is out of the scope of this document. 1087 When a user signs in to the Internet service successfully, the IP 1088 port limit for the subscriber is passed by the RADIUS server to the 1089 BNG, acting as a NAS and co-located with the CGN, using a new RADIUS 1090 attribute called IP-Port-Limit (defined in Section 3.1.1), along with 1091 other configuration parameters. While some parameters are passed to 1092 the user, the IP port limit is recorded on the CGN device for 1093 imposing the usage of TCP/UDP ports and ICMP identifiers for that 1094 user. 1096 Figure 15 illustrates how RADIUS protocol is used to configure the 1097 maximum number of TCP/UDP ports for a given user on a NAT44 device. 1099 User NAT44/NAS AAA 1100 | BNG Server 1101 | | | 1102 | | | 1103 |----Service Request------>| | 1104 | | | 1105 | |-----Access-Request -------->| 1106 | | | 1107 | |<----Access-Accept-----------| 1108 | | (IP-Port-Limit) | 1109 | | (for TCP/UDP ports) | 1110 |<---Service Granted ------| | 1111 | (other parameters) | | 1112 | | | 1113 | (NAT44 external port | 1114 | allocation and | 1115 | IPv4 address assignment) | 1116 | | | 1118 Figure 15: RADIUS Message Flow for Configuring NAT44 Port Limit 1120 The IP port limit created on a CGN device for a specific user using 1121 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 1122 that carries the same RADIUS attribute. The CoA message may be sent 1123 from the RADIUS server directly to the NAS, which once accepts and 1124 sends back a RADIUS CoA ACK message, the new IP port limit replaces 1125 the previous one. 1127 Figure 16 illustrates how RADIUS protocol is used to increase the 1128 TCP/UDP port limit from 1024 to 2048 on a NAT44 device for a specific 1129 user. 1131 User NAT44/NAS AAA 1132 | BNG Server 1133 | | | 1134 | TCP/UDP Port Limit (1024) | 1135 | | | 1136 | |<---------CoA Request----------| 1137 | | (IP-Port-Limit) | 1138 | | (for TCP/UDP ports) | 1139 | | | 1140 | TCP/UDP Port Limit (2048) | 1141 | | | 1142 | |---------CoA Response--------->| 1143 | | | 1145 Figure 16: RADIUS Message Flow for changing a user's NAT44 port limit 1147 4.1.2. Report IP Port Allocation/De-allocation 1149 Upon obtaining the IP port limit for a user, the CGN device needs to 1150 allocate a TCP/UDP port or an ICMP identifiers for the user when 1151 receiving a new IP flow sent from that user. 1153 As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP 1154 identifiers once at a time for a specific user, instead of one port/ 1155 identifier at a time, and within each port bulk, the ports/ 1156 identifiers may be randomly distributed or in consecutive fashion. 1157 When a CGN device allocates bulk of TCP/UDP ports and ICMP 1158 identifiers, the information can be easily conveyed to the RADIUS 1159 server by a new RADIUS attribute called the IP-Port-Range (defined in 1160 Section 3.1.2). The CGN device may allocate one or more TCP/UDP port 1161 ranges or ICMP identifier ranges, or generally called IP port ranges, 1162 where each range contains a set of numbers representing TCP/UDP ports 1163 or ICMP identifiers, and the total number of ports/identifiers must 1164 be less or equal to the associated IP port limit imposed for that 1165 user. A CGN device may choose to allocate a small port range, and 1166 allocate more at a later time as needed; such practice is good 1167 because its randomization in nature. 1169 At the same time, the CGN device also needs to decide the shared IPv4 1170 address for that user. The shared IPv4 address and the pre-allocated 1171 IP port range are both passed to the RADIUS server. 1173 When a user initiates an IP flow, the CGN device randomly selects a 1174 TCP/UDP port or ICMP identifier from the associated and pre-allocated 1175 IP port range for that user to replace the original source TCP/UDP 1176 port or ICMP identifier, along with the replacement of the source IP 1177 address by the shared IPv4 address. 1179 A CGN device may decide to "free" a previously assigned set of TCP/ 1180 UDP ports or ICMP identifiers that have been allocated for a specific 1181 user but not currently in use, and with that, the CGN device must 1182 send the information of the de-allocated IP port range along with the 1183 shared IPv4 address to the RADIUS server. 1185 Figure 17 illustrates how RADIUS protocol is used to report a set of 1186 ports allocated and de-allocated, respectively, by a NAT44 device for 1187 a specific user to the RADIUS server. 1189 Host NAT44/NAS AAA 1190 | BNG Server 1191 | | | 1192 | | | 1193 |----Service Request------>| | 1194 | | | 1195 | |-----Access-Request -------->| 1196 | | | 1197 | |<----Access-Accept-----------| 1198 |<---Service Granted ------| | 1199 | (other parameters) | | 1200 ... ... ... 1201 | | | 1202 | | | 1203 | (NAT44 decides to allocate | 1204 | a TCP/UDP port range for the user) | 1205 | | | 1206 | |-----Accounting-Request----->| 1207 | | (IP-Port-Range | 1208 | | for allocation) | 1209 ... ... ... 1210 | | | 1211 | (NAT44 decides to de-allocate | 1212 | a TCP/UDP port range for the user) | 1213 | | | 1214 | |-----Accounting-Request----->| 1215 | | (IP-Port-Range | 1216 | | for de-allocation) | 1217 | | | 1219 Figure 17: RADIUS Message Flow for reporting NAT44 allocation/de- 1220 allocation of a port set 1222 4.1.3. Configure Forwarding Port Mapping 1224 In most scenarios, the port mapping on a NAT device is dynamically 1225 created when the IP packets of an IP connection initiated by a user 1226 arrives. For some applications, the port mapping needs to be pre- 1227 defined allowing IP packets of applications from outside a CGN device 1228 to pass through and "port forwarded" to the correct user located 1229 behind the CGN device. 1231 Port Control Protocol [RFC6887], provides a mechanism to create a 1232 mapping from an external IP address and port to an internal IP 1233 address and port on a CGN device just to achieve the "port 1234 forwarding" purpose. PCP is a server-client protocol capable of 1235 creating or deleting a mapping along with a rich set of features on a 1236 CGN device in dynamic fashion. In some deployment, all users need is 1237 a few, typically just one pre-configured port mapping for 1238 applications such as web cam at home, and the lifetime of such a port 1239 mapping remains valid throughout the duration of the customer's 1240 Internet service connection time. In such an environment, it is 1241 possible to statically configure a port mapping on the RADIUS server 1242 for a user and let the RADIUS protocol to propagate the information 1243 to the associated CGN device. 1245 Figure 18 illustrates how RADIUS protocol is used to configure a 1246 forwarding port mapping on a NAT44 device by using RADIUS protocol. 1248 Host NAT/NAS AAA 1249 | BNG Server 1250 | | | 1251 |----Service Request------>| | 1252 | | | 1253 | |---------Access-Request------->| 1254 | | | 1255 | |<--------Access-Accept---------| 1256 | | (IP-Port-Forwarding-Map) | 1257 |<---Service Granted ------| | 1258 | (other parameters) | | 1259 | | | 1260 | (Create a port mapping | 1261 | for the user, and | 1262 | associate it with the | 1263 | internal IP address | 1264 | and external IP address) | 1265 | | | 1266 | | | 1267 | |------Accounting-Request------>| 1268 | | (IP-Port-Forwarding-Map) | 1270 Figure 18: RADIUS Message Flow for configuring a forwarding port 1271 mapping 1273 A port forwarding mapping that is created on a CGN device using 1274 RADIUS extension as described above may also be changed using RADIUS 1275 CoA message [RFC5176] that carries the same RADIUS associate. The 1276 CoA message may be sent from the RADIUS server directly to the NAS, 1277 which once accepts and sends back a RADIUS CoA ACK message, the new 1278 port forwarding mapping then replaces the previous one. 1280 Figure 19 illustrates how RADIUS protocol is used to change an 1281 existing port mapping from (a:X) to (a:Y), where "a" is an internal 1282 port, and "X" and "Y" are external ports, respectively, for a 1283 specific user with a specific IP address 1284 Host NAT/NAS AAA 1285 | BNG Server 1286 | | | 1287 | Internal IP Address | 1288 | Port Map (a:X) | 1289 | | | 1290 | |<---------CoA Request----------| 1291 | | (IP-Port-Forwarding-Map) | 1292 | | | 1293 | Internal IP Address | 1294 | Port Map (a:Y) | 1295 | | | 1296 | |---------CoA Response--------->| 1297 | | (IP-Port-Forwarding-Map) | 1299 Figure 19: RADIUS Message Flow for changing a user's forwarding port 1300 mapping 1302 4.1.4. An Example 1304 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 1305 user Joe. This number is the limit that can be used for TCP/UDP ports 1306 on a NAT44 device for Joe, and is configured on a RADIUS server. 1307 Also, Joe asks for a pre-defined port forwarding mapping on the NAT44 1308 device for his web cam applications (external port 5000 maps to 1309 internal port 80). 1311 When Joe successfully connects to the Internet service, the RADIUS 1312 server conveys the TCP/UDP port limit (1000) and the forwarding port 1313 mapping (external port 5000 to internal port 80) to the NAT44 device, 1314 using IP-Port-Limit attribute and IP-Port-Forwarding-Map attribute, 1315 respectively, carried by an Access-Accept message to the BNG where 1316 NAS and CGN co-located. 1318 Upon receiving the first outbound IP packet sent from Joe's laptop, 1319 the NAT44 device decides to allocate a small port pool that contains 1320 40 consecutive ports, from 3500 to 3540, inclusively, and also assign 1321 a shared IPv4 address 192.0.2.15, for Joe. The NAT44 device also 1322 randomly selects one port from the allocated range (say 3519) and use 1323 that port to replace the original source port in outbound IP packets. 1325 For accounting purpose, the NAT44 device passes this port range 1326 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 1327 RADIUS server using IP-Port-Range attribute carried by an Accounting- 1328 Request message. 1330 When Joe works on more applications with more outbound IP sessions 1331 and the port pool (3500-3540) is close to exhaust, the NAT44 device 1332 allocates a second port pool (8500-8800) in a similar fashion, and 1333 also passes the new port range (8500-8800) and IPv4 address 1334 192.0.2.15 together to the RADIUS server using IP-Port-Range 1335 attribute carried by an Accounting-Request message. Note when the 1336 CGN allocates more ports, it needs to assure that the total number of 1337 ports allocated for Joe is within the limit. 1339 Joe decides to upgrade his service agreement with more TCP/UDP ports 1340 allowed (up to 1000 ports). The ISP updates the information in Joe's 1341 profile on the RADIUS server, which then sends a CoA-Request message 1342 that carries the IP-Port-Limit attribute with 1000 ports to the NAT44 1343 device; the NAT44 device in turn sends back a CoA-ACK message. With 1344 that, Joe enjoys more available TCP/UDP ports for his applications. 1346 When Joe travels, most of the IP sessions are closed with their 1347 associated TCP/UDP ports released on the NAT44 device, which then 1348 sends the relevant information back to the RADIUS server using IP- 1349 Port-Range attribute carried by Accounting-Request message. 1351 Throughout Joe's connection with his ISP Internet service, 1352 applications can communicate with his web cam at home from external 1353 realm directly traversing the pre-configured mapping on the CGN 1354 device. 1356 When Joe disconnects from his Internet service, the CGN device will 1357 de-allocate all TCP/UDP ports as well as the port-forwarding mapping, 1358 and send the relevant information to the RADIUS server. 1360 4.2. Report Assigned Port Set for a Visiting UE 1362 Figure 20 illustrates an example of the flow exchange which occurs 1363 when a visiting UE connects to a CPE offering WLAN service. 1365 For identification purposes (see [RFC6967]), once the CPE assigns a 1366 port set, it issues a RADIUS message to report the assigned port set. 1368 UE CPE NAS AAA 1369 | BNG Server 1370 | | | 1371 | | | 1372 |----Service Request------>| | 1373 | | | 1374 | |-----Access-Request -------->| 1375 | | | 1376 | |<----Access-Accept-----------| 1377 |<---Service Granted ------| | 1378 | (other parameters) | | 1379 ... | ... ... 1380 |<---IP@----| | | 1381 | | | | 1382 | (CPE assigns a TCP/UDP port | 1383 | range for this visiting UE) | 1384 | | | 1385 | |--Accounting-Request-...------------------->| 1386 | | (IP-Port-Range | 1387 | | for allocation) | 1388 ... | ... ... 1389 | | | | 1390 | | | | 1391 | (CPE withdraws a TCP/UDP port | 1392 | range for a visiting UE) | 1393 | | | 1394 | |--Accounting-Request-...------------------->| 1395 | | (IP-Port-Range | 1396 | | for de-allocation) | 1397 | | | 1399 Figure 20: RADIUS Message Flow for reporting CPE allocation/de- 1400 allocation of a port set to a visiting UE 1402 5. Table of Attributes 1404 This document proposes three new RADIUS attributes and their formats 1405 are as follows: 1407 o IP-Port-Limit: 241.TBA2. 1409 o IP-Port-Range: 241.TBA3. 1411 o IP-Port-Forwarding-Map: 241.TBA4. 1413 Note to IANA: it is assumed that Extended-Type-1 "241" will be used 1414 for theses attributes. 1416 The following table provides a guide as what type of RADIUS packets 1417 that may contain these attributes, and in what quantity. 1419 Request Accept Reject Challenge Acct. # Attribute 1420 Request 1421 0+ 0+ 0 0 0+ TBA IP-Port-Limit 1422 0 0 0 0 0+ TBA IP-Port-Range 1423 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map 1425 The following table defines the meaning of the above table entries. 1427 0 This attribute MUST NOT be present in packet. 1428 0+ Zero or more instances of this attribute MAY be present in packet. 1430 6. Security Considerations 1432 This document does not introduce any security issue other than the 1433 ones already identified in RADIUS [RFC2865]. 1435 7. IANA Considerations 1437 This document requires new code point assignments for both IPFIX 1438 Information Elements and RADIUS attributes as explained in the 1439 following sub-sections. 1441 7.1. IANA Considerations on New IPFIX Information Elements 1443 The following are code point assignments for new IPFIX Information 1444 Elements as requested by this document: 1446 o transportType (refer to Section 3.2.1): The identifier of this 1447 IPFIX Information Element is TBAx1. The data type of this IPFIX 1448 Information Element is unsigned8, and the Element's value 1449 indicates TCP/UDP ports and ICMP Identifiers (1), TCP/UDP ports 1450 (2), TCP ports (3), UDP ports (4) or ICMP identifiers (5). 1452 o natTransportLimit (refer to Section 3.2.2): The identifier of this 1453 IPFIX Information Element is TBAx2. The data type of this IPFIX 1454 Information Element is unsigned16, and the Element's value is the 1455 max number of IP transport ports to be assigned to an end user 1456 associated with one or more IPv4 addresses. 1458 o localID (refer to Section 3.2.11): The identifier of this IPFIX 1459 Information Element is TBAx3. The data type of this IPFIX 1460 Information Element is string, and the Element's value is an IPv4 1461 or IPv6 address, a MAC address, a VLAN ID, etc. 1463 7.2. IANA Considerations on New RADIUS Attributes 1465 The authors request that Attribute Types and Attribute Values defined 1466 in this document be registered by the Internet Assigned Numbers 1467 Authority (IANA) from the RADIUS namespaces as described in the "IANA 1468 Considerations" section of [RFC3575], in accordance with BCP 26 1469 [RFC5226]. For RADIUS packets, attributes and registries created by 1470 this document IANA is requested to place them at 1471 http://www.iana.org/assignments/radius-types. 1473 In particular, this document defines three new RADIUS attributes, 1474 entitled "IP-Port-Limit" (see Section 3.1.1), "IP-Port-Range" (see 1475 Section 3.1.2) and "IP-Port-Forwarding-Map" (see Section 3.1.3), with 1476 assigned values of 241.TBD2, 241.TBD3 and 241.TBD4 from the Short 1477 Extended Space of [RFC6929]: 1479 Type Name Meaning 1480 ---- ---- ------- 1481 241.TBD2 IP-Port-Limit see Section 3.1.1 1482 241.TBD3 IP-Port-Range see Section 3.1.2 1483 241.TBD4 IP-Port-Forwarding-Map see Section 3.1.3 1485 7.3. IANA Considerations on New RADIUS Nested Attributes 1487 This specification requests allocation of the following TLVs within 1488 the attribute IP-Port-Limit 241.TBD2: 1490 Type Name Meaning 1491 ---- ---- ------- 1492 241.TBD2.1 IP-Port-Type see Section 3.2.1 1493 241.TBD2.2 IP-Port-Limit see Section 3.2.2 1494 241.TBD2.3 IP-Port-Ext-IPv4-Addr see Section 3.2.3 1496 This specification requests allocation of the following TLVs within 1497 the attribute IP-Port-Range 241.TBD3: 1499 Type Name Meaning 1500 ---- ---- ------- 1501 241.TBD3.1 IP-Port-Type see Section 3.2.1 1502 241.TBD3.2 IP-Port-Ext-IPv4-Addr see Section 3.2.3 1503 241.TBD3.3 IP-Port-Alloc see Section 3.2.8 1504 241.TBD3.4 IP-Port-Range-Start see Section 3.2.9 1505 241.TBD3.5 IP-Port-Range-End see Section 3.2.10 1507 This specification requests allocation of the following TLVs within 1508 the attribute IP-Port-Forwarding-Map 241.TBD4: 1510 Type Name Meaning 1511 ---- ---- ------- 1512 241.TBD4.1 IP-Port-Type see Section 3.2.1 1513 241.TBD4.2 IP-Port-Ext-IPv4-Addr see Section 3.2.3 1514 241.TBD4.3 IP-Port-Int-IPv4-Addr see Section 3.2.4 1515 241.TBD4.4 IP-Port-Int-IPv6-Addr see Section 3.2.5 1516 241.TBD4.5 IP-Port-Int-Port see Section 3.2.6 1517 241.TBD4.6 IP-Port-Ext-Port see Section 3.2.7 1518 241.TBD4.7 IP-Port-Local-Id see Section 3.2.11 1520 8. Acknowledgements 1522 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 1523 Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful 1524 comments and suggestions. 1526 Special thanks to Lionel Morand for the Shepherd review. 1528 9. References 1530 9.1. Normative References 1532 [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", 1533 . 1535 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1536 Requirement Levels", BCP 14, RFC 2119, 1537 DOI 10.17487/RFC2119, March 1997, 1538 . 1540 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1541 "Remote Authentication Dial In User Service (RADIUS)", 1542 RFC 2865, DOI 10.17487/RFC2865, June 2000, 1543 . 1545 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote 1546 Authentication Dial In User Service)", RFC 3575, 1547 DOI 10.17487/RFC3575, July 2003, 1548 . 1550 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1551 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1552 DOI 10.17487/RFC5226, May 2008, 1553 . 1555 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1556 Service (RADIUS) Protocol Extensions", RFC 6929, 1557 DOI 10.17487/RFC6929, April 2013, 1558 . 1560 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 1561 for IP Flow Information Export (IPFIX)", RFC 7012, 1562 DOI 10.17487/RFC7012, September 2013, 1563 . 1565 9.2. Informative References 1567 [I-D.gundavelli-v6ops-community-wifi-svcs] 1568 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1569 "Service Provider Wi-Fi Services Over Residential 1570 Architectures", draft-gundavelli-v6ops-community-wifi- 1571 svcs-06 (work in progress), April 2013. 1573 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1574 Address Translator (Traditional NAT)", RFC 3022, 1575 DOI 10.17487/RFC3022, January 2001, 1576 . 1578 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1579 Aboba, "Dynamic Authorization Extensions to Remote 1580 Authentication Dial In User Service (RADIUS)", RFC 5176, 1581 DOI 10.17487/RFC5176, January 2008, 1582 . 1584 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1585 NAT64: Network Address and Protocol Translation from IPv6 1586 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1587 April 2011, . 1589 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 1590 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 1591 DOI 10.17487/RFC6269, June 2011, 1592 . 1594 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1595 Stack Lite Broadband Deployments Following IPv4 1596 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 1597 . 1599 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 1600 Operation of Address Translators with Per-Interface 1601 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 1602 . 1604 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1605 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1606 DOI 10.17487/RFC6887, April 2013, 1607 . 1609 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1610 A., and H. Ashida, "Common Requirements for Carrier-Grade 1611 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1612 April 2013, . 1614 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1615 "Analysis of Potential Solutions for Revealing a Host 1616 Identifier (HOST_ID) in Shared Address Deployments", 1617 RFC 6967, DOI 10.17487/RFC6967, June 2013, 1618 . 1620 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 1621 Farrer, "Lightweight 4over6: An Extension to the Dual- 1622 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 1623 July 2015, . 1625 [TR-146] Broadband Forum, "TR-146: Subscriber Sessions", 1626 . 1629 Authors' Addresses 1631 Dean Cheng 1632 Huawei 1633 2330 Central Expressway 1634 Santa Clara, California 95050 1635 USA 1637 Email: dean.cheng@huawei.com 1639 Jouni Korhonen 1640 Broadcom Corporation 1641 3151 Zanker Road 1642 San Jose 95134 1643 USA 1645 Email: jouni.nospam@gmail.com 1646 Mohamed Boucadair 1647 Orange 1648 Rennes 1649 France 1651 Email: mohamed.boucadair@orange.com 1653 Senthil Sivakumar 1654 Cisco Systems 1655 7100-8 Kit Creek Road 1656 Research Triangle Park, North Carolina 1657 USA 1659 Email: ssenthil@cisco.com