idnits 2.17.1 draft-ietf-radext-ip-port-radius-ext-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 17, 2016) is 2955 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: September 18, 2016 Broadcom Corporation 6 M. Boucadair 7 Orange 8 S. Sivakumar 9 Cisco Systems 10 March 17, 2016 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-ietf-radext-ip-port-radius-ext-09 15 Abstract 17 This document defines three new RADIUS attributes. For devices that 18 implementing IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report TCP/UDP ports 20 and ICMP identifiers, as well as mapping behavior for specific hosts. 21 This mechanism can be used in various deployment scenarios such as 22 Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. 24 Requirements Language 26 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 27 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 28 document are to be interpreted as described in RFC 2119 [RFC2119]. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on September 18, 2016. 47 Copyright Notice 49 Copyright (c) 2016 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 66 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 67 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 68 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 69 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 70 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 10 71 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 72 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 13 73 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 14 74 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 75 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 76 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 77 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 78 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 18 79 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 19 80 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 20 81 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 21 82 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22 83 4. Applications, Use Cases and Examples . . . . . . . . . . . . 23 84 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 23 85 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 86 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 87 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 27 88 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 29 89 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 30 90 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 31 91 6. Security Considerations . . . . . . . . . . . . . . . . . . . 32 92 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 93 7.1. IANA Considerations on New IPFIX Information Elements . . 32 94 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 33 95 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 33 96 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 97 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 98 9.1. Normative References . . . . . . . . . . . . . . . . . . 34 99 9.2. Informative References . . . . . . . . . . . . . . . . . 34 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 102 1. Introduction 104 In a broadband network, customer information is usually stored on a 105 RADIUS server [RFC2865]. At the time when a user initiates an IP 106 connection request, if this request is authorized, the RADIUS server 107 will populate the user's configuration information to the Network 108 Access Server (NAS), which is often referred to as a Broadband 109 Network Gateway (BNG) in broadband access networks. The Carrier- 110 Grade NAT (CGN) function may also be implemented on the BNG. Within 111 this document, the CGN may perform NAT44 [RFC3022], NAT64 [RFC6146], 112 or Dual-Stack Lite AFTR [RFC6333] function. In such case, the CGN 113 TCP/UDP port (or ICMP identifier) mapping(s) behavior(s) can be part 114 of the configuration information sent from the RADIUS server to the 115 NAS/BNG. The NAS/BNG may also report to the RADIUS Server the port/ 116 identifier mapping behavior applied by the CGN to a user session to 117 the RADIUS server, as part of the accounting information sent from 118 the NAS/BNG to a RADIUS server. 120 When IP packets traverse the CGN, it performs TCP/UDP source port 121 mapping or ICMP identifier mapping as required. A TCP/ UDP source 122 port or ICMP identifier, along with source IP address, destination IP 123 address, destination port and protocol identifier if applicable, 124 uniquely identify a session. Since the number space of TCP/UDP ports 125 and ICMP identifiers in CGN's external realm is shared among multiple 126 users assigned with the same IPv4 address, the total number of a 127 user's simultaneous IP sessions is likely to be subject to port quota 128 (see Section 5 of [RFC6269]). 130 The attributes defined in this document may also be used to report 131 the assigned port range in some deployments such as Provider WLAN 132 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 133 host can be managed by a CPE (Customer Premises Equipment ) which 134 will need to report the assigned port range to the service platform. 135 This is required for identification purposes (see TR-146 [TR-146] for 136 more details). 138 This document proposes three new attributes as RADIUS protocol's 139 extensions, and they are used for separate purposes as follows: 141 1. IP-Port-Limit-Info: This attribute may be carried in RADIUS 142 Access-Accept, Access-Request, Accounting-Request or CoA-Request 143 packet. The purpose of this attribute is to limit the total 144 number of TCP/UDP ports and/or ICMP identifiers allocated to a 145 user, associated with one or more IPv4 addresses. 147 2. IP-Port-Range: This attribute may be carried in RADIUS 148 Accounting-Request packet. The purpose of this attribute is to 149 report by an address sharing device (e.g., a CGN) to the RADIUS 150 server the range of TCP/UDP ports and/or ICMP identifiers that 151 have been allocated or deallocated associated with a given IPv4 152 address for a user. 154 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 155 Access-Accept, Access-Request, Accounting-Request or CoA-Request 156 packet. The purpose of this attribute is to specify how an IPv4 157 address and a TCP/ UDP port (or an ICMP identifier) is mapped to 158 another IPv4 address and a TCP/UDP port (or an ICMP identifier). 160 IPFIX Information Elements [RFC7012] can be used for IP flow 161 identification and representation over RADIUS. This document 162 provides a mapping between RADIUS TLV and IPFIX Information Element 163 Identifiers. As a consequence, new IPFIX Information Elements are 164 defined by this document (see Section 3). 166 2. Terminology 168 This document makes use of the following terms: 170 o IP Port: refers to the port numbers of IP transport protocols, 171 including TCP port, UDP port and ICMP identifier. 173 o IP Port Type: refers to one of the following: (1) TCP/UDP port and 174 ICMP identifier, (2) TCP port and UDP port, (3) TCP port, (4) UDP 175 port, or (5) ICMP identifier. 177 o IP Port Limit: denotes the maximum number of IP ports for a 178 specific IP port type, that a device supporting port ranges can 179 use when performing port number mapping for a specific user. 180 Note, this limit is usually associated with one or more IPv4 181 addresses. 183 o IP Port Range: specifies a set of contiguous IP ports, indicated 184 by the lowest numerical number and the highest numerical number, 185 inclusively. 187 o Internal IP Address: refers to the IP address that is used as a 188 source IP address in an outbound IP packet sent towards a device 189 supporting port ranges in the internal realm. 191 o External IP Address: refers to the IP address that is used as a 192 source IP address in an outbound IP packet after traversing a 193 device supporting port ranges in the external realm. 195 o Internal Port: is a UDP or TCP port, or an ICMP identifier, which 196 is allocated by a host or application behind a device supporting 197 port ranges for an outbound IP packet in the internal realm. 199 o External Port: is a UDP or TCP port, or an ICMP identifier, which 200 is allocated by a device supporting port ranges upon receiving an 201 outbound IP packet in the internal realm, and is used to replace 202 the internal port that is allocated by a user or application. 204 o External realm: refers to the networking segment where external IP 205 addresses are used in respective of the device supporting port 206 ranges. 208 o Internal realm: refers to the networking segment that is behind a 209 device supporting port ranges and where internal IP addresses are 210 used. 212 o Mapping: associates with a device supporting port ranges for a 213 relationship between an internal IP address, internal port and the 214 protocol, and an external IP address, external port, and the 215 protocol. 217 o Port-based device: a device that is capable of providing IP 218 address and IP port mapping services and in particular, with the 219 granularity of one or more subsets within the 16-bit IP port 220 number range. A typical example of this device is a CGN, CPE, 221 Provider WLAN Gateway, etc. 223 Note that the definitions of "internal IP address", "internal port", 224 "internal realm", "external IP address", "external port", "external 225 realm", and "mapping" are the same as defined in Port Control 226 Protocol (PCP) [RFC6887], and the Common Requirements for Carrier- 227 Grade NATs (CGNs) [RFC6888]. 229 3. Extensions of RADIUS Attributes and TLVs 231 These three new attributes are defined in the following sub-sections: 233 1. IP-Port-Limit-Info Attribute 235 2. IP-Port-Range Attribute 237 3. IP-Port-Forwarding-Map Attribute 238 All these attributes are allocated from the RADIUS "Extended Type" 239 code space per [RFC6929]. 241 These attributes and their embedded TLVs (refer to Section 3.2) are 242 defined with globally unique names and follow the guideline in 243 Section 2.7.1 of [RFC6929]. 245 In all the figures describing the RADIUS attributes and TLV formats 246 in the following sub-sections, the fields are transmitted from left 247 to right. 249 3.1. Extended Attributes for IP Ports 251 3.1.1. IP-Port-Limit-Info Attribute 253 This attribute is of type "TLV" as defined in the RADIUS Protocol 254 Extensions [RFC6929]. It contains the following sub-attributes: 256 o an IP-Port-Type TLV (see Section 3.2.1), 258 o an IP-Port-Limit TLV (see Section 3.2.2), 260 o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). 262 It specifies the maximum number of IP ports as indicated in IP-Port- 263 Limit TLV, of a specific port type as indicated in IP-Port-Type TLV, 264 and associated with a given IPv4 address as indicated in IP-Port-Ext- 265 IPv4-Addr TLV for an end user. 267 Note that when IP-Port-Ext-IPv4-Addr TLV is not included as part of 268 the IP-Port-Limit-Info Attribute, the port limit applies to all the 269 IPv4 addresses managed by the port device, e.g., a CGN or NAT64 270 device. 272 The IP-Port-Limit-Info Attribute MAY appear in an Access-Accept 273 packet. It MAY also appear in an Access-Request packet as a 274 preferred maximum number of IP ports indicated by the device 275 supporting port ranges co-located with the NAS, e.g., a CGN or NAT64. 276 However, the RADIUS server is not required to honor such a 277 preference. 279 The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet. 281 The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request 282 packet. 284 The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS 285 packet. 287 The format of the IP-Port-Limit-Info Attribute is shown in Figure 1. 289 0 1 2 3 290 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 291 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 292 | Type | Length | Extended-Type | Value ... 293 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 295 Figure 1 297 Type 299 241 (To be confirmed by IANA). 301 Length 303 This field indicates the total length in bytes of all fields of 304 this attribute, including the Type, Length, Extended-Type, and the 305 entire length of the embedded TLVs. 307 Extended-Type 309 TBD1. 311 Value 313 This field contains a set of TLVs as follows: 315 IP-Port-Type TLV 317 This TLV contains a value that indicates the IP port type. 318 Refer to Section 3.2.1. 320 IP-Port-Limit TLV 322 This TLV contains the maximum number of IP ports of a specific 323 IP port type and associated with a given IPv4 address for an 324 end user. This TLV must be included in the IP-Port-Limit-Info 325 Attribute. Refer to Section 3.2.2. 327 IP-Port-Ext-IPv4-Addr TLV 329 This TLV contains the IPv4 address that is associated with the 330 IP port limit contained in the IP-Port-Limit TLV. This TLV is 331 optionally included as part of the IP-Port-Limit-Info 332 Attribute. Refer to Section 3.2.3. 334 IP-Port-Limit-Info Attribute is associated with the following 335 identifier: 241.Extended-Type(TBD1). 337 3.1.2. IP-Port-Range Attribute 339 This attribute is of type "TLV" as defined in the RADIUS Protocol 340 Extensions [RFC6929]. It contains the following sub-attributes: 342 o an IP-Port-Type TLV (see Section 3.2.1), 344 o an IP-Port-Range-Start TLV (see Section 3.2.9), 346 o an IP-Port-Range-End TLV (see Section 3.2.10), 348 o an IP-Port-Alloc TLV (see Section 3.2.8), 350 o an optional IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3), 352 o an optional IP-Port-Local-Id TLV (see Section 3.2.11). 354 This attribute contains a range of contiguous IP ports of a specific 355 port type and associated with an IPv4 address that is either 356 allocated or deallocated by a device for a given user, and the 357 information is intended to be sent to RADIUS server. 359 This attribute can be used to convey a single IP port number; in such 360 case IP-Port-Range-Start and IP-Port-Range-End conveys the same 361 value. 363 Within an IP-Port-Range Attribute, the IP-Port-Alloc TLV is always 364 included. For port allocation, both IP-Port-Range-Start TLV and IP- 365 Port-Range-End TLV must be included; for port deallocation, the 366 inclusion of these two TLVs is optional and if not included, it 367 implies that all ports that are previously allocated are now 368 deallocated. Both IP-Port-Ext-IPv4-Addr TLV and IP-Port-Local-Id TLV 369 are optional and if included, they are used by a port device (e.g., a 370 CGN device) to identify the end user. 372 The IP-Port-Range Attribute MAY appear in an Accounting-Request 373 packet. 375 The IP-Port-Range Attribute MUST NOT appear in any other RADIUS 376 packet. 378 The format of the IP-Port-Range Attribute is shown in Figure 2. 380 0 1 2 3 381 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 382 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 383 | Type | Length | Extended-Type | Value ... 384 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 386 Figure 2 388 Type 390 241 (To be confirmed by IANA). 392 Length 394 This field indicates the total length in bytes of all fields of 395 this attribute, including the Type, Length, Extended-Type, and the 396 entire length of the embedded TLVs. 398 Extended-Type 400 TBD2. 402 Value 404 This field contains a set of TLVs as follows: 406 IP-Port-Type TLV 408 This TLV contains a value that indicates the IP port type. 409 Refer to Section 3.2.1. 411 IP-Port-Alloc TLV 413 This TLV contains a flag to indicate that the range of the 414 specified IP ports for either allocation or deallocation. This 415 TLV must be included as part of the IP-Port-Range Attribute. 416 Refer to Section 3.2.8. 418 IP-Port-Range-Start TLV 420 This TLV contains the smallest port number of a range of 421 contiguous IP ports. To report the port allocation, this TLV 422 must be included together with IP-Port-Range-End TLV as part of 423 the IP-Port-Range Attribute. Refer to Section 3.2.9. 425 IP-Port-Range-End TLV 426 This TLV contains the largest port number of a range of 427 contiguous IP ports. To report the port allocation, this TLV 428 must be included together with IP-Port-Range-Start TLV as part 429 of the IP-Port-Range Attribute. Refer to Section 3.2.10. 431 IP-Port-Ext-IPv4-Addr TLV 433 This TLV contains the IPv4 address that is associated with the 434 IP port range, as collectively indicated in the IP-Port-Range- 435 Start TLV and the IP-Port-Range-End TLV. This TLV is 436 optionally included as part of the IP-Port-Range Attribute. 437 Refer to Section 3.2.3. 439 IP-Port-Local-Id TLV 441 This TLV contains a local session identifier at the customer 442 premise, such as MAC address, interface ID, VLAN ID, PPP 443 sessions ID, VRF ID, IPv6 address/prefix, etc. This TLV is 444 optionally included as part of the IP-Port-Range Attribute. 445 Refer to Section 3.2.11. 447 The IP-Port-Range attribute is associated with the following 448 identifier: 241.Extended-Type(TBD2). 450 3.1.3. IP-Port-Forwarding-Map Attribute 452 This attribute is of type "TLV" as defined in the RADIUS Protocol 453 Extensions [RFC6929]. It contains the following sub-attributes: 455 o an IP-Port-Type TLV (see Section 3.2.1), 457 o an IP-Port-Int-Port TLV (see Section 3.2.6), 459 o an IP-Port-Ext-Port TLV (see Section 3.2.7), 461 o either an IP-Port-Int-IPv4-Addr TLV (see Section 3.2.4) or an IP- 462 Port-Local-Id TLV (see Section 3.2.11), 464 o either an IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5) or an IP- 465 Port-Local-Id TLV (see Section 3.2.11), 467 o an IP-Port-Ext-IPv4-Addr TLV (see Section 3.2.3). 469 The attribute contains a 2-byte IP internal port number that is 470 associated with an internal IPv4 or IPv6 address, or a locally 471 significant identifier at the customer site, and a 2-byte IP external 472 port number that is associated with an external IPv4 address. The 473 internal IPv4 or IPv6 address, or the local identifier must be 474 included; the external IPv4 address may also be included. 476 The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept 477 packet. It MAY also appear in an Access-Request packet to indicate a 478 preferred port mapping by the device co-located with NAS. However 479 the server is not required to honor such a preference. 481 The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request 482 packet. 484 The IP-Port-Forwarding-Map Attribute MAY also appear in an 485 Accounting-Request packet. 487 The IP-Port-Forwarding-Map Attribute MUST NOT appear in any other 488 RADIUS packet. 490 The format of the IP-Port-Forwarding-Map Attribute is shown in 491 Figure 3. 493 0 1 2 3 494 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 495 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 496 | Type | Length | Extended-Type | Value .... 497 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 499 Figure 3 501 Type 503 241 (To be confirmed by IANA). 505 Length 507 This field indicates the total length in bytes of all fields of 508 this attribute, including the Type, Length, Extended-Type, and the 509 entire length of the embedded TLVs. 511 Extended-Type 513 TBD3. 515 Value 517 This field contains a set of TLVs as follows: 519 IP-Port-Type TLV 520 This TLV contains a value that indicates the IP port type. 521 Refer to Section 3.2.1. 523 IP-Port-Int-Port TLV 525 This TLV contains an internal IP port number associated with an 526 internal IPv4 or IPv6 address. This TLV must be included 527 together with IP-Port-Ext-Port TLV as part of the IP-Port- 528 Forwarding-Map attribute. Refer to Section 3.2.6. 530 IP-Port-Ext-Port TLV 532 This TLV contains an external IP port number associated with an 533 external IPv4 address. This TLV must be included together with 534 IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map 535 attribute. Refer to Section 3.2.7. 537 IP-Port-Int-IPv4-Addr TLV 539 This TLV contains an IPv4 address that is associated with the 540 internal IP port number contained in the IP-Port-Int-Port TLV. 541 For IPv4 network, either this TLV or IP-Port-Local-Id TLV must 542 be included as part of the IP-Port-Forwarding-Map Attribute. 543 Refer to Section 3.2.4. 545 IP-Port-Int-IPv6-Addr TLV 547 This TLV contains an IPv4 address that is associated with the 548 internal IP port number contained in the IP-Port-Int-Port TLV. 549 For IPv6 network, either this TLV or IP-Port-Local-Id TLV must 550 be included as part of the IP-Port-Forwarding-Map Attribute. 551 Refer to Section 3.2.5. 553 IP-Port-Local-Id TLV 555 This TLV contains a local session identifier at the customer 556 premise, such as MAC address, interface ID, VLAN ID, PPP 557 sessions ID, VRF ID, IPv6 address/prefix, etc. Either this TLV 558 or IP-Port-Int-IP-Addr TLV must be included as part of the IP- 559 Port-Forwarding-Map Attribute. Refer to Section 3.2.11. 561 IP-Port-Ext-IPv4-Addr TLV 563 This TLV contains an IPv4 address that is associated with the 564 external IP port number contained in the IP-Port-Ext-Port TLV. 565 This TLV may be included as part of the IP-Port-Forwarding-Map 566 Attribute. Refer to Section 3.2.3. 568 The IP-Port-Forwarding-Map Attribute is associated with the following 569 identifier: 241.Extended-Type(TBD3). 571 3.2. RADIUS TLVs for IP Ports 573 The TLVs that are included in the three attributes (see Section 3.1) 574 are defined in the following sub-sections. These TLVs use the format 575 defined in [RFC6929]. As the three attributes carry similar data, we 576 have defined a common set of TLVs which are used for all three 577 attributes. That is, the TLVs have the same name and number, when 578 encapsulated in any one of the three parent attributes. See 579 Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which 580 TLV is permitted within which parent attribute. 582 3.2.1. IP-Port-Type TLV 584 The format of IP-Port-Type TLV is shown in Figure 4. This attribute 585 carries IPFIX Information Element TBAx1, "transportType", which 586 indicates the type of IP transport as follows: 588 1: 590 Refer to TCP port, UDP port, and ICMP identifier as a whole. 592 2: 594 Refer to TCP port and UDP port as a whole. 596 3: 598 Refer to TCP port only. 600 4: 602 Refer to UDP port only. 604 5: 606 Refer to ICMP identifier only. 608 0 1 2 3 609 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 610 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 611 | TLV-Type | Length | transportType 612 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 613 transportType | 614 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 616 Figure 4 618 TLV-Type 620 1 622 Length 624 6 626 transportType 628 Integer. This field contains the data (unsigned8) of 629 transportType (TBAx1) defined in IPFIX, right justified, and the 630 unused bits in this field MUST be set to zero. 632 IP-Port-Type TLV is included in the following Attributes: 634 o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see 635 Section 3.1.1). 637 o IP-Port-Range Attribute, identified as 241.TBD2.1 (see 638 Section 3.1.2). 640 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.1 641 (see Section 3.1.3). 643 3.2.2. IP-Port-Limit TLV 645 The format of IP-Port-Limit TLV is shown in Figure 5. This attribute 646 carries IPFIX Information Element TBAx2, "natTransportLimit", which 647 indicates the maximum number of ports for a given IPv4 address 648 assigned to a user for a specified IP-Port-Type. 650 0 1 2 3 651 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 652 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 653 | TLV-Type | Length | natTransportLimit 654 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 655 natTransportLimit | 656 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 658 Figure 5 660 TLV-Type 662 2 664 Length 666 6 668 natTransportLimit 670 Integer. This field contains the data (unsigned16) of 671 natTransportLimit (TBAx2) defined in IPFIX, right justified, and 672 the unused bits in this field MUST be set to zero. 674 IP-Port-Limit TLV is included as part of the IP-Port-Limit-Info 675 Attribute (refer to Section 3.1.1), identified as 241.TBD1.2. 677 3.2.3. IP-Port-Ext-IPv4-Addr TLV 679 The format of IP-Port-Ext-IPv4-Addr TLV is shown in Figure 6. This 680 attribute carries IPFIX Information Element 225, 681 "postNATSourceIPv4Address", which is the IPv4 source address after 682 NAT operation (refer to [IPFIX]). 684 0 1 2 3 685 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 686 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 687 | TLV-Type | Length | postNATSourceIPv4Address 688 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 689 postNATSourceIPv4Address | 690 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 692 Figure 6 694 TLV-Type 696 3 698 Length 700 6 702 postNATSourceIPv4Address 704 Integer. This field contains the data (ipv4Address) of 705 postNATSourceIPv4Address (225) defined in IPFIX. 707 IP-Port-Ext-IPv4-Addr TLV MAY be included in the following 708 Attributes: 710 o IP-Port-Limit-Info Attribute, identified as 241.TBD1.3 (see 711 Section 3.1.1). 713 o IP-Port-Range Attribute, identified as 241.TBD2.3 (see 714 Section 3.1.2). 716 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.3 717 (see Section 3.1.3). 719 3.2.4. IP-Port-Int-IPv4-Addr TLV 721 The format of IP-Port-Int-IPv4 TLV is shown in Figure 7. This 722 attribute carries IPFIX Information Element 8, "sourceIPv4Address", 723 which is the IPv4 source address before NAT operation (refer to 724 [IPFIX]). 726 0 1 2 3 727 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 728 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 729 | TLV-Type | Length | sourceIPv4Address 730 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 731 sourceIPv4Address | 732 +-+--+-+-+-+-+-+-++-+-+-+-+-+-+-+ 734 Figure 7 736 TLV-Type 738 4 740 Length 742 6 744 sourceIPv4Address 745 Integer. This field contains the data (ipv4Address) of 746 sourceIPv4Address (8) defined in IPFIX. 748 IP-Port-Int-IPv4-Addr TLV MAY be included as part of the IP-Port- 749 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 750 241.TBD3.4. 752 3.2.5. IP-Port-Int-IPv6-Addr TLV 754 The format of IP-Port-Int-IPv6-Addr TLV is shown in Figure 8. This 755 attribute carries IPFIX Information Element 27, "sourceIPv6Address", 756 which is the IPv6 source address before NAT operation (refer to 757 [IPFIX]). 759 0 1 2 3 760 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 762 | TLV-Type | Length | sourceIPv6Address 763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 764 sourceIPv6Address 765 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 766 sourceIPv6Address 767 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 768 sourceIPv6Address 769 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 770 sourceIPv6Address | 771 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 773 Figure 8 775 TLV-Type 777 5 779 Length 781 18 783 sourceIPv6Address 785 IPv6 address (128 bits). This field contains the data 786 (ipv6Address) of sourceIPv6Address (27) defined in IPFIX. 788 IP-Port-Int-IPv6-Addr TLV MAY be included as part of the IP-Port- 789 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 790 241.TBD3.5. 792 3.2.6. IP-Port-Int-Port TLV 794 The format of IP-Port-Int-Port TLV is shown in Figure 9. This 795 attribute carries IPFIX Information Element 7, "sourceTransportPort", 796 which is the source transport number associated with an internal IPv4 797 or IPv6 address (refer to [IPFIX]). 799 0 1 2 3 800 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 801 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 802 | TLV-Type | Length | sourceTransportPort 803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 804 sourceTransportPort | 805 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 807 Figure 9 809 TLV-Type 811 6 813 Length 815 6 817 sourceTransportPort 819 Integer. This field contains the data (unsigned16) of 820 sourceTrasnportPort (7) defined in IPFIX, right justified, and 821 unused bits MUST be set to zero. 823 IP-Port-Int-Port TLV is included as part of the IP-Port-Forwarding- 824 Map Attribute (refer to Section 3.1.3), identified as 241.TBD3.6. 826 3.2.7. IP-Port-Ext-Port TLV 828 The format of IP-Port-Ext-Port TLV is shown in Figure 10. This 829 attribute carries IPFIX Information Element 227, 830 "postNAPTSourceTransportPort", which is the transport number 831 associated with an external IPv4 address(refer to [IPFIX]). 833 0 1 2 3 834 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 835 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 836 | TLV-Type | Length | postNAPTSourceTransportPort 837 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 838 postNAPTSourceTransportPort | 839 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 841 Figure 10 843 TLV-Type 845 7 847 Length 849 6 851 postNAPTSourceTransportPort 853 Integer. This field contains the data (unsigned16) of 854 postNAPTSourceTrasnportPort (227) defined in IPFIX, right 855 justified, and unused bits must be set to zero. 857 IP-Port-Ext-Port TLV is included as part of the IP-Port-Forwarding- 858 Map Attribute (refer to Section 3.1.3), identified as 241.TBD3.7. 860 3.2.8. IP-Port-Alloc TLV 862 The format of IP-Port-Alloc TLV is shown in Figure 11. This 863 attribute carries IPFIX Information Element 230, "natEvent", which is 864 a flag to indicate an action of NAT operation (refer to [IPFIX]). 866 When the value of natEvent is "1" (Create event), it means to 867 allocate a range of transport ports; when the value is "2", it means 868 to deallocate a range of transports ports. For the purpose of this 869 TLV, no other value is used. 871 0 1 2 3 872 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 873 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 874 | TLV-Type | Length | natEvent 875 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 876 natEvent | 877 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 879 Figure 11 881 TLV-Type 883 8 885 Length 887 6 889 natEvent 891 Integer. This field contains the data (unsigned8) of natEvent 892 (230) defined in IPFIX, right justified, and unused bits must be 893 set to zero. It indicates the allocation or deallocation of a 894 range of IP ports as follows: 896 1: 898 Allocation 900 2: 902 Deallocation 904 Reserved: 906 0. 908 IP-Port-Alloc TLV is included as part of the IP-Port-Range Attribute 909 (refer to Section 3.1.2), identified as 241.TBD2.8. 911 3.2.9. IP-Port-Range-Start TLV 913 The format of IP-Port-Range-Start TLV is shown in Figure 12. This 914 attribute carries IPFIX Information Element 361, "portRangeStart", 915 which is the smallest port number of a range of contiguous transport 916 ports (refer to [IPFIX]). 918 0 1 2 3 919 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 920 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 921 | TLV-Type | Length | portRangeStart 922 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 923 portRangeStart | 924 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 926 Figure 12 928 TLV-Type 930 9 932 Length 934 6 936 portRangeStart 938 Integer. This field contains the data (unsigned16) of (361) 939 defined in IPFIX, right justified, and unused bits must be set to 940 zero. 942 IP-Port-Range-Start TLV is included as part of the IP-Port-Range 943 Attribute (refer to Section 3.1.2), identified as 241.TBD2.9. 945 3.2.10. IP-Port-Range-End TLV 947 The format of IP-Port-Range-End TLV is shown in Figure 13. This 948 attribute carries IPFIX Information Element 362, "portRangeEnd", 949 which is the largest port number of a range of contiguous transport 950 ports (refer to [IPFIX]). 952 0 1 2 3 953 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 955 | TLV-Type | Length | portRangeEnd 956 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 957 portRangeEnd | 958 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 960 Figure 13 962 TLV-Type 963 10 965 Length 967 6 969 portRangeEnd 971 Integer. This field contains the data (unsigned16) of (362) 972 defined in IPFIX, right justified, and unused bits must be set to 973 zero. 975 IP-Port-Range-End TLV is included as part of the IP-Port-Range 976 Attribute (refer to Section 3.1.2), identified as 241.TBD2.10. 978 3.2.11. IP-Port-Local-Id TLV 980 The format of IP-Port-Local-Id TLV is shown in Figure 14. This 981 attribute carries IPFIX Information Element TBAx3, "localID", which 982 is a local significant identifier as explained below. 984 In some CGN deployment scenarios such as DS-Extra-Lite [RFC6619] and 985 Lightweight 4over6 [RFC7596], parameters at a customer premise such 986 as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 prefix, 987 VRF ID, etc., may also be required to pass to the RADIUS server as 988 part of the accounting record. 990 0 1 2 3 991 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 992 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 993 | TLV-Type | Length | localID .... 994 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 996 Figure 14 998 TLV-Type 1000 11 1002 Length 1004 Variable number of bytes. 1006 localID 1008 string. This field contains the data (string) of (TBAx3) defined 1009 in IPFIX. This is a local session identifier at the customer 1010 premise, such as MAC address, interface ID, VLAN ID, PPP sessions 1011 ID, VRF ID, IPv6 address/prefix, etc. 1013 IP-Port-Local-Id TLV MAY be included in the following Attributes: 1015 o IP-Port-Range Attribute, identified as 241.TBD2.11 (see 1016 Section 3.1.2). 1018 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.11 1019 (see Section 3.1.3). 1021 4. Applications, Use Cases and Examples 1023 This section describes some applications and use cases to illustrate 1024 the use of the attributes proposed in this document. 1026 4.1. Managing CGN Port Behavior using RADIUS 1028 In a broadband network, customer information is usually stored on a 1029 RADIUS server, and the BNG acts as a NAS. The communication between 1030 the NAS and the RADIUS server is triggered by a user when it signs in 1031 to the Internet service, where either PPP or DHCP/DHCPv6 is used. 1032 When a user signs in, the NAS sends a RADIUS Access-Request message 1033 to the RADIUS server. The RADIUS server validates the request, and 1034 if the validation succeeds, it in turn sends back a RADIUS Access- 1035 Accept message. The Access-Accept message carries configuration 1036 information specific to that user, back to the NAS, where some of the 1037 information would pass on to the requesting user via PPP or DHCP/ 1038 DHCPv6. 1040 A CGN function in a broadband network would most likely co-located on 1041 a BNG. In that case, parameters for CGN port/identifier mapping 1042 behavior for users can be configured on the RADIUS server. When a 1043 user signs in to the Internet service, the associated parameters can 1044 be conveyed to the NAS, and proper configuration is accomplished on 1045 the CGN device for that user. 1047 Also, CGN operation status such as CGN port/identifier allocation and 1048 deallocation for a specific user on the BNG can also be transmitted 1049 back to the RADIUS server for accounting purpose using the RADIUS 1050 protocol. 1052 RADIUS protocol has already been widely deployed in broadband 1053 networks to manage BNG, thus the functionality described in this 1054 specification introduces little overhead to the existing network 1055 operation. 1057 In the following sub-sections, we describe how to manage CGN behavior 1058 using RADIUS protocol, with required RADIUS extensions proposed in 1059 Section 3. 1061 4.1.1. Configure IP Port Limit for a User 1063 In the face of IPv4 address shortage, there are currently proposals 1064 to multiplex multiple users' connections over a smaller number of 1065 shared IPv4 addresses, such as Carrier Grade NAT [RFC6888], Dual- 1066 Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single 1067 IPv4 public address may be shared by hundreds or even thousands of 1068 users. As indicated in [RFC6269], it is therefore necessary to 1069 impose limits on the total number of ports available to an individual 1070 user to ensure that the shared resource, i.e., the IPv4 address, 1071 remains available in some capacity to all the users using it. The 1072 support of IP port limit is also documented in [RFC6888] as a 1073 requirement for CGN. 1075 The IP port limit imposed to a specific user may be on the total 1076 number of TCP and UDP ports plus the number of ICMP identifiers, or 1077 with other granularities as defined in Section 3.1.1. 1079 The per-user based IP port limit is configured on a RADIUS server, 1080 along with other user information such as credentials. The value of 1081 this IP port limit is based on service agreement and its 1082 specification is out of the scope of this document. 1084 When a user signs in to the Internet service successfully, the IP 1085 port limit for the subscriber is passed by the RADIUS server to the 1086 BNG, acting as a NAS and co-located with the CGN, using a new RADIUS 1087 attribute called IP-Port-Limit-Info (defined in Section 3.1.1), along 1088 with other configuration parameters. While some parameters are 1089 passed to the user, the IP port limit is recorded on the CGN device 1090 for imposing the usage of TCP/UDP ports and ICMP identifiers for that 1091 user. 1093 Figure 15 illustrates how RADIUS protocol is used to configure the 1094 maximum number of TCP/UDP ports for a given user on a NAT44 device. 1096 User NAT44/NAS AAA 1097 | BNG Server 1098 | | | 1099 | | | 1100 |----Service Request------>| | 1101 | | | 1102 | |-----Access-Request -------->| 1103 | | | 1104 | |<----Access-Accept-----------| 1105 | | (IP-Port-Limit-Info) | 1106 | | (for TCP/UDP ports) | 1107 |<---Service Granted ------| | 1108 | (other parameters) | | 1109 | | | 1110 | (NAT44 external port | 1111 | allocation and | 1112 | IPv4 address assignment) | 1113 | | | 1115 Figure 15: RADIUS Message Flow for Configuring NAT44 Port Limit 1117 The IP port limit created on a CGN device for a specific user using 1118 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 1119 that carries the same RADIUS attribute. The CoA message may be sent 1120 from the RADIUS server directly to the NAS, which once accepts and 1121 sends back a RADIUS CoA ACK message, the new IP port limit replaces 1122 the previous one. 1124 Figure 16 illustrates how RADIUS protocol is used to increase the 1125 TCP/UDP port limit from 1024 to 2048 on a NAT44 device for a specific 1126 user. 1128 User NAT44/NAS AAA 1129 | BNG Server 1130 | | | 1131 | TCP/UDP Port Limit (1024) | 1132 | | | 1133 | |<---------CoA Request----------| 1134 | | (IP-Port-Limit-Info) | 1135 | | (for TCP/UDP ports) | 1136 | | | 1137 | TCP/UDP Port Limit (2048) | 1138 | | | 1139 | |---------CoA Response--------->| 1140 | | | 1142 Figure 16: RADIUS Message Flow for changing a user's NAT44 port limit 1144 4.1.2. Report IP Port Allocation/Deallocation 1146 Upon obtaining the IP port limit for a user, the CGN device needs to 1147 allocate a TCP/UDP port or an ICMP identifiers for the user when 1148 receiving a new IP flow sent from that user. 1150 As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP 1151 identifiers once at a time for a specific user, instead of one port/ 1152 identifier at a time, and within each port bulk, the ports/ 1153 identifiers may be randomly distributed or in consecutive fashion. 1154 When a CGN device allocates bulk of TCP/UDP ports and ICMP 1155 identifiers, the information can be easily conveyed to the RADIUS 1156 server by a new RADIUS attribute called the IP-Port-Range (defined in 1157 Section 3.1.2). The CGN device may allocate one or more TCP/UDP port 1158 ranges or ICMP identifier ranges, or generally called IP port ranges, 1159 where each range contains a set of numbers representing TCP/UDP ports 1160 or ICMP identifiers, and the total number of ports/identifiers must 1161 be less or equal to the associated IP port limit imposed for that 1162 user. A CGN device may choose to allocate a small port range, and 1163 allocate more at a later time as needed; such practice is good 1164 because its randomization in nature. 1166 At the same time, the CGN device also needs to decide the shared IPv4 1167 address for that user. The shared IPv4 address and the pre-allocated 1168 IP port range are both passed to the RADIUS server. 1170 When a user initiates an IP flow, the CGN device randomly selects a 1171 TCP/UDP port or ICMP identifier from the associated and pre-allocated 1172 IP port range for that user to replace the original source TCP/UDP 1173 port or ICMP identifier, along with the replacement of the source IP 1174 address by the shared IPv4 address. 1176 A CGN device may decide to "free" a previously assigned set of TCP/ 1177 UDP ports or ICMP identifiers that have been allocated for a specific 1178 user but not currently in use, and with that, the CGN device must 1179 send the information of the deallocated IP port range along with the 1180 shared IPv4 address to the RADIUS server. 1182 Figure 17 illustrates how RADIUS protocol is used to report a set of 1183 ports allocated and deallocated, respectively, by a NAT44 device for 1184 a specific user to the RADIUS server. 1186 Host NAT44/NAS AAA 1187 | BNG Server 1188 | | | 1189 | | | 1190 |----Service Request------>| | 1191 | | | 1192 | |-----Access-Request -------->| 1193 | | | 1194 | |<----Access-Accept-----------| 1195 |<---Service Granted ------| | 1196 | (other parameters) | | 1197 ... ... ... 1198 | | | 1199 | | | 1200 | (NAT44 decides to allocate | 1201 | a TCP/UDP port range for the user) | 1202 | | | 1203 | |-----Accounting-Request----->| 1204 | | (IP-Port-Range | 1205 | | for allocation) | 1206 ... ... ... 1207 | | | 1208 | (NAT44 decides to deallocate | 1209 | a TCP/UDP port range for the user) | 1210 | | | 1211 | |-----Accounting-Request----->| 1212 | | (IP-Port-Range | 1213 | | for deallocation) | 1214 | | | 1216 Figure 17: RADIUS Message Flow for reporting NAT44 allocation/ 1217 deallocation of a port set 1219 4.1.3. Configure Forwarding Port Mapping 1221 In most scenarios, the port mapping on a NAT device is dynamically 1222 created when the IP packets of an IP connection initiated by a user 1223 arrives. For some applications, the port mapping needs to be pre- 1224 defined allowing IP packets of applications from outside a CGN device 1225 to pass through and "port forwarded" to the correct user located 1226 behind the CGN device. 1228 Port Control Protocol [RFC6887], provides a mechanism to create a 1229 mapping from an external IP address and port to an internal IP 1230 address and port on a CGN device just to achieve the "port 1231 forwarding" purpose. PCP is a server-client protocol capable of 1232 creating or deleting a mapping along with a rich set of features on a 1233 CGN device in dynamic fashion. In some deployment, all users need is 1234 a few, typically just one pre-configured port mapping for 1235 applications such as web cam at home, and the lifetime of such a port 1236 mapping remains valid throughout the duration of the customer's 1237 Internet service connection time. In such an environment, it is 1238 possible to statically configure a port mapping on the RADIUS server 1239 for a user and let the RADIUS protocol to propagate the information 1240 to the associated CGN device. 1242 Figure 18 illustrates how RADIUS protocol is used to configure a 1243 forwarding port mapping on a NAT44 device by using RADIUS protocol. 1245 Host NAT/NAS AAA 1246 | BNG Server 1247 | | | 1248 |----Service Request------>| | 1249 | | | 1250 | |---------Access-Request------->| 1251 | | | 1252 | |<--------Access-Accept---------| 1253 | | (IP-Port-Forwarding-Map) | 1254 |<---Service Granted ------| | 1255 | (other parameters) | | 1256 | | | 1257 | (Create a port mapping | 1258 | for the user, and | 1259 | associate it with the | 1260 | internal IP address | 1261 | and external IP address) | 1262 | | | 1263 | | | 1264 | |------Accounting-Request------>| 1265 | | (IP-Port-Forwarding-Map) | 1267 Figure 18: RADIUS Message Flow for configuring a forwarding port 1268 mapping 1270 A port forwarding mapping that is created on a CGN device using 1271 RADIUS extension as described above may also be changed using RADIUS 1272 CoA message [RFC5176] that carries the same RADIUS associate. The 1273 CoA message may be sent from the RADIUS server directly to the NAS, 1274 which once accepts and sends back a RADIUS CoA ACK message, the new 1275 port forwarding mapping then replaces the previous one. 1277 Figure 19 illustrates how RADIUS protocol is used to change an 1278 existing port mapping from (a:X) to (a:Y), where "a" is an internal 1279 port, and "X" and "Y" are external ports, respectively, for a 1280 specific user with a specific IP address 1281 Host NAT/NAS AAA 1282 | BNG Server 1283 | | | 1284 | Internal IP Address | 1285 | Port Map (a:X) | 1286 | | | 1287 | |<---------CoA Request----------| 1288 | | (IP-Port-Forwarding-Map) | 1289 | | | 1290 | Internal IP Address | 1291 | Port Map (a:Y) | 1292 | | | 1293 | |---------CoA Response--------->| 1294 | | (IP-Port-Forwarding-Map) | 1296 Figure 19: RADIUS Message Flow for changing a user's forwarding port 1297 mapping 1299 4.1.4. An Example 1301 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 1302 user Joe. This number is the limit that can be used for TCP/UDP ports 1303 on a NAT44 device for Joe, and is configured on a RADIUS server. 1304 Also, Joe asks for a pre-defined port forwarding mapping on the NAT44 1305 device for his web cam applications (external port 5000 maps to 1306 internal port 80). 1308 When Joe successfully connects to the Internet service, the RADIUS 1309 server conveys the TCP/UDP port limit (1000) and the forwarding port 1310 mapping (external port 5000 to internal port 80) to the NAT44 device, 1311 using IP-Port-Limit-Info Attribute and IP-Port-Forwarding-Map 1312 attribute, respectively, carried by an Access-Accept message to the 1313 BNG where NAS and CGN co-located. 1315 Upon receiving the first outbound IP packet sent from Joe's laptop, 1316 the NAT44 device decides to allocate a small port pool that contains 1317 40 consecutive ports, from 3500 to 3540, inclusively, and also assign 1318 a shared IPv4 address 192.0.2.15, for Joe. The NAT44 device also 1319 randomly selects one port from the allocated range (say 3519) and use 1320 that port to replace the original source port in outbound IP packets. 1322 For accounting purpose, the NAT44 device passes this port range 1323 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 1324 RADIUS server using IP-Port-Range attribute carried by an Accounting- 1325 Request message. 1327 When Joe works on more applications with more outbound IP sessions 1328 and the port pool (3500-3540) is close to exhaust, the NAT44 device 1329 allocates a second port pool (8500-8800) in a similar fashion, and 1330 also passes the new port range (8500-8800) and IPv4 address 1331 192.0.2.15 together to the RADIUS server using IP-Port-Range 1332 attribute carried by an Accounting-Request message. Note when the 1333 CGN allocates more ports, it needs to assure that the total number of 1334 ports allocated for Joe is within the limit. 1336 Joe decides to upgrade his service agreement with more TCP/UDP ports 1337 allowed (up to 1000 ports). The ISP updates the information in Joe's 1338 profile on the RADIUS server, which then sends a CoA-Request message 1339 that carries the IP-Port-Limit-Info Attribute with 1000 ports to the 1340 NAT44 device; the NAT44 device in turn sends back a CoA-ACK message. 1341 With that, Joe enjoys more available TCP/UDP ports for his 1342 applications. 1344 When Joe travels, most of the IP sessions are closed with their 1345 associated TCP/UDP ports released on the NAT44 device, which then 1346 sends the relevant information back to the RADIUS server using IP- 1347 Port-Range attribute carried by Accounting-Request message. 1349 Throughout Joe's connection with his ISP Internet service, 1350 applications can communicate with his web cam at home from external 1351 realm directly traversing the pre-configured mapping on the CGN 1352 device. 1354 When Joe disconnects from his Internet service, the CGN device will 1355 deallocate all TCP/UDP ports as well as the port-forwarding mapping, 1356 and send the relevant information to the RADIUS server. 1358 4.2. Report Assigned Port Set for a Visiting UE 1360 Figure 20 illustrates an example of the flow exchange which occurs 1361 when a visiting UE connects to a CPE offering WLAN service. 1363 For identification purposes (see [RFC6967]), once the CPE assigns a 1364 port set, it issues a RADIUS message to report the assigned port set. 1366 UE CPE NAS AAA 1367 | BNG Server 1368 | | | 1369 | | | 1370 |----Service Request------>| | 1371 | | | 1372 | |-----Access-Request -------->| 1373 | | | 1374 | |<----Access-Accept-----------| 1375 |<---Service Granted ------| | 1376 | (other parameters) | | 1377 ... | ... ... 1378 |<---IP@----| | | 1379 | | | | 1380 | (CPE assigns a TCP/UDP port | 1381 | range for this visiting UE) | 1382 | | | 1383 | |--Accounting-Request-...------------------->| 1384 | | (IP-Port-Range | 1385 | | for allocation) | 1386 ... | ... ... 1387 | | | | 1388 | | | | 1389 | (CPE withdraws a TCP/UDP port | 1390 | range for a visiting UE) | 1391 | | | 1392 | |--Accounting-Request-...------------------->| 1393 | | (IP-Port-Range | 1394 | | for deallocation) | 1395 | | | 1397 Figure 20: RADIUS Message Flow for reporting CPE allocation/ 1398 deallocation of a port set to a visiting UE 1400 5. Table of Attributes 1402 This document proposes three new RADIUS attributes and their formats 1403 are as follows: 1405 o IP-Port-Limit-Info: 241.TBD1. 1407 o IP-Port-Range: 241.TBD2. 1409 o IP-Port-Forwarding-Map: 241.TBD3. 1411 Note to IANA: it is assumed that Extended-Type-1 "241" will be used 1412 for these attributes. 1414 The following table provides a guide as what type of RADIUS packets 1415 that may contain these attributes, and in what quantity. 1417 Request Accept Reject Challenge Acct. # Attribute 1418 Request 1419 0+ 0+ 0 0 0+ TBA IP-Port-Limit-Info 1420 0 0 0 0 0+ TBA IP-Port-Range 1421 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map 1423 The following table defines the meaning of the above table entries. 1425 0 This attribute MUST NOT be present in packet. 1426 0+ Zero or more instances of this attribute MAY be present in packet. 1428 6. Security Considerations 1430 This document does not introduce any security issue other than the 1431 ones already identified in RADIUS [RFC2865]. 1433 7. IANA Considerations 1435 This document requires new code point assignments for both IPFIX 1436 Information Elements and RADIUS attributes as explained in the 1437 following sub-sections. 1439 It is assumed that Extended-Type-1 "241" will be used for RADIUS 1440 attributes in Section 7.2. 1442 7.1. IANA Considerations on New IPFIX Information Elements 1444 The following are code point assignments for new IPFIX Information 1445 Elements as requested by this document: 1447 o transportType (refer to Section 3.2.1): The identifier of this 1448 IPFIX Information Element is TBAx1. The data type of this IPFIX 1449 Information Element is unsigned8, and the Element's value 1450 indicates TCP/UDP ports and ICMP Identifiers (1), TCP/UDP ports 1451 (2), TCP ports (3), UDP ports (4) or ICMP identifiers (5). 1453 o natTransportLimit (refer to Section 3.2.2): The identifier of this 1454 IPFIX Information Element is TBAx2. The data type of this IPFIX 1455 Information Element is unsigned16, and the Element's value is the 1456 max number of IP transport ports to be assigned to an end user 1457 associated with one or more IPv4 addresses. 1459 o localID (refer to Section 3.2.11): The identifier of this IPFIX 1460 Information Element is TBAx3. The data type of this IPFIX 1461 Information Element is string, and the Element's value is an IPv4 1462 or IPv6 address, a MAC address, a VLAN ID, etc. 1464 7.2. IANA Considerations on New RADIUS Attributes 1466 The authors request that Attribute Types and Attribute Values defined 1467 in this document be registered by the Internet Assigned Numbers 1468 Authority (IANA) from the RADIUS namespaces as described in the "IANA 1469 Considerations" section of [RFC3575], in accordance with BCP 26 1470 [RFC5226]. For RADIUS packets, attributes and registries created by 1471 this document IANA is requested to place them at 1472 http://www.iana.org/assignments/radius-types. 1474 In particular, this document defines three new RADIUS attributes, 1475 entitled "IP-Port-Limit-Info" (see Section 3.1.1), "IP-Port-Range" 1476 (see Section 3.1.2) and "IP-Port-Forwarding-Map" (see Section 3.1.3), 1477 with assigned values of 241.TBD1, 241.TBD2 and 241.TBD3 from the 1478 Short Extended Space of [RFC6929]: 1480 Type Name Meaning 1481 ---- ---- ------- 1482 241.TBD1 IP-Port-Limit-Info see Section 3.1.1 1483 241.TBD2 IP-Port-Range see Section 3.1.2 1484 241.TBD3 IP-Port-Forwarding-Map see Section 3.1.3 1486 7.3. IANA Considerations on New RADIUS TLVs 1488 This specification requests allocation of the following TLVs: 1490 Name Value Meaning 1491 ---- ----- ------- 1492 IP-Port-Type 1 see Section 3.2.1 1493 IP-Port-Limit 2 see Section 3.2.2 1494 IP-Port-Ext-IPv4-Addr 3 see Section 3.2.3 1495 IP-Port-Int-IPv4-Addr 4 see Section 3.2.4 1496 IP-Port-Int-IPv6-Addr 5 see Section 3.2.5 1497 IP-Port-Int-Port 6 see Section 3.2.6 1498 IP-Port-Ext-Port 7 see Section 3.2.7 1499 IP-Port-Alloc 8 see Section 3.2.8 1500 IP-Port-Range-Start 9 see Section 3.2.9 1501 IP-Port-Range-End 10 see Section 3.2.10 1502 IP-Port-Local-Id 11 see Section 3.2.11 1504 8. Acknowledgements 1506 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 1507 Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful 1508 comments and suggestions. 1510 Special thanks to Lionel Morand for the Shepherd review. 1512 9. References 1514 9.1. Normative References 1516 [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", 1517 . 1519 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1520 Requirement Levels", BCP 14, RFC 2119, 1521 DOI 10.17487/RFC2119, March 1997, 1522 . 1524 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1525 "Remote Authentication Dial In User Service (RADIUS)", 1526 RFC 2865, DOI 10.17487/RFC2865, June 2000, 1527 . 1529 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote 1530 Authentication Dial In User Service)", RFC 3575, 1531 DOI 10.17487/RFC3575, July 2003, 1532 . 1534 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1535 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1536 DOI 10.17487/RFC5226, May 2008, 1537 . 1539 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1540 Service (RADIUS) Protocol Extensions", RFC 6929, 1541 DOI 10.17487/RFC6929, April 2013, 1542 . 1544 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 1545 for IP Flow Information Export (IPFIX)", RFC 7012, 1546 DOI 10.17487/RFC7012, September 2013, 1547 . 1549 9.2. Informative References 1551 [I-D.gundavelli-v6ops-community-wifi-svcs] 1552 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1553 "Service Provider Wi-Fi Services Over Residential 1554 Architectures", draft-gundavelli-v6ops-community-wifi- 1555 svcs-06 (work in progress), April 2013. 1557 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1558 Address Translator (Traditional NAT)", RFC 3022, 1559 DOI 10.17487/RFC3022, January 2001, 1560 . 1562 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1563 Aboba, "Dynamic Authorization Extensions to Remote 1564 Authentication Dial In User Service (RADIUS)", RFC 5176, 1565 DOI 10.17487/RFC5176, January 2008, 1566 . 1568 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1569 NAT64: Network Address and Protocol Translation from IPv6 1570 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1571 April 2011, . 1573 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 1574 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 1575 DOI 10.17487/RFC6269, June 2011, 1576 . 1578 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1579 Stack Lite Broadband Deployments Following IPv4 1580 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 1581 . 1583 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 1584 Operation of Address Translators with Per-Interface 1585 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 1586 . 1588 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1589 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1590 DOI 10.17487/RFC6887, April 2013, 1591 . 1593 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1594 A., and H. Ashida, "Common Requirements for Carrier-Grade 1595 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1596 April 2013, . 1598 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1599 "Analysis of Potential Solutions for Revealing a Host 1600 Identifier (HOST_ID) in Shared Address Deployments", 1601 RFC 6967, DOI 10.17487/RFC6967, June 2013, 1602 . 1604 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 1605 Farrer, "Lightweight 4over6: An Extension to the Dual- 1606 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 1607 July 2015, . 1609 [TR-146] Broadband Forum, "TR-146: Subscriber Sessions", 1610 . 1613 Authors' Addresses 1615 Dean Cheng 1616 Huawei 1617 2330 Central Expressway 1618 Santa Clara, California 95050 1619 USA 1621 Email: dean.cheng@huawei.com 1623 Jouni Korhonen 1624 Broadcom Corporation 1625 3151 Zanker Road 1626 San Jose 95134 1627 USA 1629 Email: jouni.nospam@gmail.com 1631 Mohamed Boucadair 1632 Orange 1633 Rennes 1634 France 1636 Email: mohamed.boucadair@orange.com 1638 Senthil Sivakumar 1639 Cisco Systems 1640 7100-8 Kit Creek Road 1641 Research Triangle Park, North Carolina 1642 USA 1644 Email: ssenthil@cisco.com