idnits 2.17.1 draft-ietf-radext-ip-port-radius-ext-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 18, 2016) is 2746 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-ietf-radext-datatypes-07 -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'ProtocolNumbers' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: April 21, 2017 Broadcom Corporation 6 M. Boucadair 7 Orange 8 S. Sivakumar 9 Cisco Systems 10 October 18, 2016 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-ietf-radext-ip-port-radius-ext-14 15 Abstract 17 This document defines three new RADIUS attributes. For devices that 18 implement IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report IP transport 20 ports, as well as mapping behavior for specific hosts. This 21 mechanism can be used in various deployment scenarios such as 22 Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. 23 This document defines a mapping between some RADIUS attributes and 24 IPFIX Information Element Identifiers. 26 Requirements Language 28 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 29 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 30 document are to be interpreted as described in RFC 2119 [RFC2119]. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at http://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on April 21, 2017. 49 Copyright Notice 51 Copyright (c) 2016 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 69 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 70 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 71 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 72 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11 73 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 74 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14 75 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15 76 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 77 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 78 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 79 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 80 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19 81 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20 82 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21 83 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22 84 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 23 85 4. Applications, Use Cases and Examples . . . . . . . . . . . . 24 86 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24 87 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 25 88 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 27 89 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28 90 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30 91 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31 92 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32 93 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 94 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 95 7.1. IANA Considerations on New IPFIX Information 96 Elements . . . . . . . . . . . . . . . . . . . . . . . . 34 98 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34 99 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35 100 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 101 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 102 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 103 9.2. Informative References . . . . . . . . . . . . . . . . . 36 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 106 1. Introduction 108 In a broadband network, customer information is usually stored on a 109 RADIUS server [RFC2865]. At the time when a user initiates an IP 110 connection request, if this request is authorized, the RADIUS server 111 will populate the user's configuration information to the Network 112 Access Server (NAS), which is often referred to as a Broadband 113 Network Gateway (BNG) in broadband access networks. The Carrier- 114 Grade NAT (CGN) function may also be implemented on the BNG. Within 115 this document, the CGN may perform NAT44 [RFC3022], NAT64 [RFC6146], 116 or Dual-Stack Lite AFTR [RFC6333] function. In such case, the CGN IP 117 transport port (e.g., TCP/UDP port) mapping(s) behavior(s) can be 118 part of the configuration information sent from the RADIUS server to 119 the NAS/BNG. The NAS/BNG may also report to the RADIUS Server the IP 120 port mapping behavior applied by the CGN to a user session to the 121 RADIUS server, as part of the accounting information sent from the 122 NAS/BNG to a RADIUS server. 124 When IP packets traverse the CGN, it performs mapping on the IP 125 transport (e.g., TCP/UDP) source port as required. An IP transport 126 source port, along with source IP address, destination IP address, 127 destination port and protocol identifier if applicable, uniquely 128 identify a mapping. Since the number space of IP transport ports in 129 CGN's external realm is shared among multiple users assigned with the 130 same IPv4 address, the total number of a user's simultaneous IP 131 mappings is likely to be subject to port quota (see Section 5 of 132 [RFC6269]). 134 The attributes defined in this document may also be used to report 135 the assigned port range in some deployments such as Provider WLAN 136 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 137 host can be managed by a CPE (Customer Premises Equipment ) which 138 will need to report the assigned port range to the service platform. 139 This is required for identification purposes (see TR-146 [TR-146] for 140 more details). 142 This document proposes three new attributes as RADIUS protocol's 143 extensions, and they are used for separate purposes as follows: 145 1. IP-Port-Limit-Info: This attribute may be carried in a RADIUS 146 Access-Accept, Access-Request, Accounting-Request or CoA-Request 147 packet. The purpose of this attribute is to limit the total 148 number of IP source transport ports allocated to a user, 149 associated with one or more IPv4 or IPv6 addresses. 151 2. IP-Port-Range: This attribute may be carried in a RADIUS 152 Accounting-Request packet. The purpose of this attribute is for 153 an address sharing device (e.g., a CGN) to report to the RADIUS 154 server the range of IP source transport ports that have been 155 allocated or deallocated for a user. The port range is bound to 156 an external IPv4 address. 158 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 159 Access-Accept, Access-Request, Accounting-Request or CoA-Request 160 packet. The purpose of this attribute is to specify how an IP 161 internal source transport port together with its internal IPv4 or 162 IPv6 address are mapped to an external source transport port 163 along with the external IPv4 address. 165 IPFIX Information Elements [RFC7012] can be used for IP flow 166 identification and representation over RADIUS. This document 167 provides a mapping between some RADIUS TLVs and IPFIX Information 168 Element Identifiers. A new IPFIX Information Element is defined by 169 this document (see Section 3.2.2). 171 IP protocol numbers (refer to [ProtocolNumbers]) can be used for 172 identification of IP transport protocols (e.g., TCP, UDP, DCCP, and 173 SCTP) that are associated with some RADIUS attributes. 175 This document focuses on IPv4 address sharing. IPv6 prefix sharing 176 mechanisms (e.g., NPTv6) are out of scope. 178 2. Terminology 180 This document makes use of the following terms: 182 o IP Port: refers to IP transport port (e.g., TCP port number, UDP 183 port number). 185 o IP Port Type: refers to the IP transport protocol as indicated by 186 the IP transport protocol number, refer to (refer to 187 [ProtocolNumbers]) 189 o IP Port Limit: denotes the maximum number of IP ports for a 190 specific IP port type, that a device supporting port ranges can 191 use when performing port number mappings for a specific user/host. 193 Note, this limit is usually associated with one or more IPv4/IPv6 194 addresses. 196 o IP Port Range: specifies a set of contiguous IP ports, indicated 197 by the lowest numerical number and the highest numerical number, 198 inclusively. 200 o Internal IP Address: refers to the IP address that is used by a 201 host as a source IP address in an outbound IP packet sent towards 202 a device supporting port ranges in the internal realm. The 203 internal IP address may be IPv4 or IPv6. 205 o External IP Address: refers to the IP address that is used as a 206 source IP address in an outbound IP packet after traversing a 207 device supporting port ranges in the external realm. This 208 document assumes that the external IP address is an IPv4 address. 210 o Internal Port: is an IP transport port, which is allocated by a 211 host or application behind an address sharing device for an 212 outbound IP packet in the internal realm. 214 o External Port: is an IP transport port, which is allocated by an 215 address sharing device upon receiving an outbound IP packet in the 216 internal realm, and is used to replace the internal port that is 217 allocated by a user or application. 219 o External realm: refers to the networking segment where external IP 220 addresses are used as source addresses of outbound packets 221 forwarded by an address sharing device. 223 o Internal realm: refers to the networking segment that is behind an 224 address sharing device and where internal IP addresses are used. 226 o Mapping: denotes a relationship between an internal IP address, 227 internal port and the protocol, and an external IP address, 228 external port, and the protocol. 230 o Address sharing device: a device that is capable of sharing an 231 IPv4 address among multiple users. A typical example of this 232 device is a CGN, CPE, Provider WLAN Gateway, etc. 234 3. Extensions of RADIUS Attributes and TLVs 236 These three new attributes are defined in the following sub-sections: 238 1. IP-Port-Limit-Info Attribute 240 2. IP-Port-Range Attribute 241 3. IP-Port-Forwarding-Map Attribute 243 All these attributes are allocated from the RADIUS "Extended Type" 244 code space per [RFC6929]. 246 These attributes and their embedded TLVs (refer to Section 3.2) are 247 defined with globally unique names and follow the guideline in 248 Section 2.7.1 of [RFC6929]. 250 In all the figures describing the RADIUS attributes and TLV formats 251 in the following sub-sections, the fields are transmitted from left 252 to right. 254 3.1. Extended Attributes for IP Ports 256 3.1.1. IP-Port-Limit-Info Attribute 258 This attribute is of type "TLV" as defined in the RADIUS Protocol 259 Extensions [RFC6929]. It contains some sub-attributes and the 260 requirement is as follows: 262 o The IP-Port-Limit-Info Attribute MAY contain the IP-Port-Type TLV 263 (see Section 3.2.1). 265 o The IP-Port-Limit-Info Attribute MUST contain the IP-Port-Limit 266 TLV (see Section 3.2.2). 268 o The IP-Port-Limit-Info Attribute MAY contain the IP-Port-Ext- 269 IPv4-Addr TLV (see Section 3.2.3). 271 The IP-Port-Limit-Info Attribute specifies the maximum number of IP 272 ports as indicated in IP-Port-Limit TLV, of a specific IP transport 273 protocol as indicated in IP-Port-Type TLV, and associated with a 274 given IPv4 address as indicated in IP-Port-Ext-IPv4-Addr TLV for an 275 end user. 277 Note that when IP-Port-Type TLV is not included as part of the IP- 278 Port-Limit-Info Attribute, the port limit applies to all IP transport 279 protocols. 281 Note also that when IP-Port-Ext-IPv4-Addr TLV is not included as part 282 of the IP-Port-Limit-Info Attribute, the port limit applies to all 283 the IPv4 addresses managed by the address sharing device, e.g., a CGN 284 or NAT64 device. 286 The IP-Port-Limit-Info Attribute MAY appear in an Access-Accept 287 packet. It MAY also appear in an Access-Request packet as a 288 preferred maximum number of IP ports indicated by the device 289 supporting port ranges co-located with the NAS, e.g., a CGN or NAT64. 291 The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet. 293 The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request 294 packet. 296 The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS 297 packet. 299 The format of the IP-Port-Limit-Info Attribute is shown in Figure 1. 301 0 1 2 3 302 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 304 | Type | Length | Extended-Type | Value ... 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 307 Figure 1 309 Type 311 241 (To be confirmed by IANA). 313 Length 315 This field indicates the total length in bytes of all fields of 316 this attribute, including the Type, Length, Extended-Type, and the 317 entire length of the embedded TLVs. 319 Extended-Type 321 TBD1. 323 Value 325 This field contains a set of TLVs as follows: 327 IP-Port-Type TLV 329 This TLV contains a value that indicates the IP port type. 330 Refer to Section 3.2.1. 332 IP-Port-Limit TLV 334 This TLV contains the maximum number of IP ports of a specific 335 IP port type and associated with a given IPv4 address for an 336 end user. This TLV MUST be included in the IP-Port-Limit-Info 337 Attribute. Refer to Section 3.2.2. This limit applies to all 338 mappings that can be instantiated by an underlying address 339 sharing device without soliciting any external entity. In 340 particular, this limit does not include the ports that are 341 instructed by an AAA server. 343 IP-Port-Ext-IPv4-Addr TLV 345 This TLV contains the IPv4 address that is associated with the 346 IP port limit contained in the IP-Port-Limit TLV. This TLV is 347 optionally included as part of the IP-Port-Limit-Info 348 Attribute. Refer to Section 3.2.3. 350 IP-Port-Limit-Info Attribute is associated with the following 351 identifier: 241.Extended-Type(TBD1). 353 3.1.2. IP-Port-Range Attribute 355 This attribute is of type "TLV" as defined in the RADIUS Protocol 356 Extensions [RFC6929]. It contains some sub-attributes and the 357 requirement is as follows: 359 o The IP-Port-Range Attribute MAY contain the IP-Port-Type TLV (see 360 Section 3.2.1). 362 o The IP-Port-Range Attribute MUST contain the IP-Port-Alloc TLV 363 (see Section 3.2.8). 365 o For port allocation, the IP-Port-Range Attribute MUST contain both 366 the IP-Port-Range-Start TLV (see Section 3.2.9) and the IP-Port- 367 Range-END TLV (see Section 3.2.10). For port deallocation, the 368 IP-Port-Range Attribute MAY contain both of these two TLVs; if the 369 two TLVs are not included, it implies that all ports that were 370 previously allocated are now all deallocated. 372 o The IP-Port-Range Attribute MAY contain the IP-Port-Ext-IPv4-Addr 373 TLV (see Section 3.2.3). 375 o The IP-Port-Range Attribute MAY contain the IP-Port-Local-Id TLV 376 (see Section 3.2.11). 378 The IP-Port-Range Attribute contains a range of contiguous IP ports. 379 These ports are either to be allocated or deallocated depending on 380 the Value carried by the IP-Port-Alloc TLV. 382 If the IP-Port-Type TLV is included as part of the IP-Port-Range 383 Attribute, the port range is associated with the specific IP 384 transport protocol as specified in the IP-Port-Type TLV, but 385 otherwise is for all IP transport protocols. 387 If the IP-Port-Ext-IPv4-Addr TLV is included as part of the IP-Port- 388 Range Attribute, the port range as specified is associated with IPv4 389 address as indicated, but otherwise is for all IPv4 addresses by the 390 address sharing device (e.g., a CGN device) for the end user. 392 This attribute can be used to convey a single IP transport port 393 number; in such case the Value of the IP-Port-Range-Start TLV and the 394 IP-Port-Range-End TLV, respectively, contain the same port number. 396 The information contained in the IP-Port-Range Attribute is sent to 397 RADIUS server. 399 The IP-Port-Range Attribute MAY appear in an Accounting-Request 400 packet. 402 The IP-Port-Range Attribute MUST NOT appear in any other RADIUS 403 packet. 405 The format of the IP-Port-Range Attribute is shown in Figure 2. 407 0 1 2 3 408 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 410 | Type | Length | Extended-Type | Value ... 411 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 413 Figure 2 415 Type 417 241 (To be confirmed by IANA). 419 Length 421 This field indicates the total length in bytes of all fields of 422 this attribute, including the Type, Length, Extended-Type, and the 423 entire length of the embedded TLVs. 425 Extended-Type 427 TBD2. 429 Value 430 This field contains a set of TLVs as follows: 432 IP-Port-Type TLV 434 This TLV contains a value that indicates the IP port type. 435 Refer to Section 3.2.1. 437 IP-Port-Alloc TLV 439 This TLV contains a flag to indicate that the range of the 440 specified IP ports for either allocation or deallocation. This 441 TLV MUST be included as part of the IP-Port-Range Attribute. 442 Refer to Section 3.2.8. 444 IP-Port-Range-Start TLV 446 This TLV contains the smallest port number of a range of 447 contiguous IP ports. To report the port allocation, this TLV 448 MUST be included together with IP-Port-Range-End TLV as part of 449 the IP-Port-Range Attribute. Refer to Section 3.2.9. 451 IP-Port-Range-End TLV 453 This TLV contains the largest port number of a range of 454 contiguous IP ports. To report the port allocation, this TLV 455 MUST be included together with IP-Port-Range-Start TLV as part 456 of the IP-Port-Range Attribute. Refer to Section 3.2.10. 458 IP-Port-Ext-IPv4-Addr TLV 460 This TLV contains the IPv4 address that is associated with the 461 IP port range, as collectively indicated in the IP-Port-Range- 462 Start TLV and the IP-Port-Range-End TLV. This TLV is 463 optionally included as part of the IP-Port-Range Attribute. 464 Refer to Section 3.2.3. 466 IP-Port-Local-Id TLV 468 This TLV contains a local session identifier at the customer 469 premise, such as MAC address, interface ID, VLAN ID, PPP 470 sessions ID, VRF ID, IP address/prefix, etc. This TLV is 471 optionally included as part of the IP-Port-Range Attribute. 472 Refer to Section 3.2.11. 474 The IP-Port-Range attribute is associated with the following 475 identifier: 241.Extended-Type(TBD2). 477 3.1.3. IP-Port-Forwarding-Map Attribute 479 This attribute is of type "TLV" as defined in the RADIUS Protocol 480 Extensions [RFC6929]. It contains some sub-attributes and the 481 requirement is as follows: 483 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port-Type 484 TLV (see Section 3.2.1). 486 o The IP-Port-Forwarding-Map Attribute MUST contain both IP-Port- 487 Int-Port TLV (see Section 3.2.6) and the IP-Port-Ext-Port TLV (see 488 Section 3.2.7). 490 o If the internal realm is with IPv4 address family, the IP-Port- 491 Forwarding-Map Attribute MUST contain the IP-Port-Int-IPv4-Addr 492 TLV (see Section 3.2.4); if the internal realm is with IPv6 493 address family, the IP-Port-Forwarding-Map Attribute MUST contain 494 the IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5). 496 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port-Ext- 497 IPv4-Addr TLV (see Section 3.2.3). 499 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port- 500 Local-Id TLV (see Section 3.2.11). 502 The attribute contains a 2-byte IP internal port number and a 2-byte 503 IP external port number. The internal port number is associated with 504 an internal IPv4 or IPv6 address that MUST always be included. The 505 external port number is associated with a specific external IPv4 506 address if included, but otherwise with all external IPv4 addresses 507 for the end user. 509 If the IP-Port-Type TLV is included as part of the IP-Port- 510 Forwarding-Map Attribute, the port mapping is associated with the 511 specific IP transport protocol as specified in the IP-Port-Type TLV, 512 but otherwise is for all IP transport protocols. 514 The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept 515 packet. It MAY also appear in an Access-Request packet to indicate a 516 preferred port mapping by the device co-located with NAS. However 517 the server is not required to honor such a preference. 519 The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request 520 packet. 522 The IP-Port-Forwarding-Map Attribute MAY also appear in an 523 Accounting-Request packet. 525 The IP-Port-Forwarding-Map Attribute MUST NOT appear in any other 526 RADIUS packet. 528 The format of the IP-Port-Forwarding-Map Attribute is shown in 529 Figure 3. 531 0 1 2 3 532 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 534 | Type | Length | Extended-Type | Value .... 535 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 537 Figure 3 539 Type 541 241 (To be confirmed by IANA). 543 Length 545 This field indicates the total length in bytes of all fields of 546 this attribute, including the Type, Length, Extended-Type, and the 547 entire length of the embedded TLVs. 549 Extended-Type 551 TBD3. 553 Value 555 This field contains a set of TLVs as follows: 557 IP-Port-Type TLV 559 This TLV contains a value that indicates the IP port type. 560 Refer to Section 3.2.1. 562 IP-Port-Int-Port TLV 564 This TLV contains an internal IP port number associated with an 565 internal IPv4 or IPv6 address. This TLV MUST be included 566 together with IP-Port-Ext-Port TLV as part of the IP-Port- 567 Forwarding-Map attribute. Refer to Section 3.2.6. 569 IP-Port-Ext-Port TLV 570 This TLV contains an external IP port number associated with an 571 external IPv4 address. This TLV MUST be included together with 572 IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map 573 attribute. Refer to Section 3.2.7. 575 IP-Port-Int-IPv4-Addr TLV 577 This TLV contains an IPv4 address that is associated with the 578 internal IP port number contained in the IP-Port-Int-Port TLV. 579 For internal realm with IPv4 address family, this TLV MUST be 580 included as part of the IP-Port-Forwarding-Map Attribute. 581 Refer to Section 3.2.4. 583 IP-Port-Int-IPv6-Addr TLV 585 This TLV contains an IPv6 address that is associated with the 586 internal IP port number contained in the IP-Port-Int-Port TLV. 587 For internal realm with IPv6 address family, this TLV MUST be 588 included as part of the IP-Port-Forwarding-Map Attribute. 589 Refer to Section 3.2.5. 591 IP-Port-Ext-IPv4-Addr TLV 593 This TLV contains an IPv4 address that is associated with the 594 external IP port number contained in the IP-Port-Ext-Port TLV. 595 This TLV MAY be included as part of the IP-Port-Forwarding-Map 596 Attribute. Refer to Section 3.2.3. 598 IP-Port-Local-Id TLV 600 This TLV contains a local session identifier at the customer 601 premise, such as MAC address, interface ID, VLAN ID, PPP 602 sessions ID, VRF ID, IP address/prefix, etc. This TLV is 603 optionally included as part of the IP-Port-Forwarding-Map 604 Attribute. Refer to Section 3.2.11. 606 The IP-Port-Forwarding-Map Attribute is associated with the following 607 identifier: 241.Extended-Type(TBD3). 609 3.2. RADIUS TLVs for IP Ports 611 The TLVs that are included in the three attributes (see Section 3.1) 612 are defined in the following sub-sections. These TLVs use the format 613 defined in [RFC6929]. As the three attributes carry similar data, we 614 have defined a common set of TLVs which are used for all three 615 attributes. That is, the TLVs have the same name and number, when 616 encapsulated in any one of the three parent attributes. See 617 Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which 618 TLV is permitted within which parent attribute. 620 3.2.1. IP-Port-Type TLV 622 The format of IP-Port-Type TLV is shown in Figure 4. This attribute 623 carries the IP transport protocol number defined by IANA (refer to 624 [ProtocolNumbers]) 626 0 1 2 3 627 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 628 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 629 | TLV-Type | Length | Protocol-Number 630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 631 Protocol-Number | 632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 634 Figure 4 636 TLV-Type 638 1 640 Length 642 6 644 Protocol-Number 646 Integer. This field contains the data (unsigned8) of the port 647 number defined in [ProtocolNumbers], right justified, and the 648 unused bits in this field MUST be set to zero. Protocols that do 649 not use a port number (e.g., Resource Reservation Protocol (RSVP), 650 IP Encapsulating Security Payload (ESP)) MUST NOT be included in 651 the IP-Port-Type TLV. 653 IP-Port-Type TLV MAY be included in the following Attributes: 655 o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see 656 Section 3.1.1). 658 o IP-Port-Range Attribute, identified as 241.TBD2.1 (see 659 Section 3.1.2). 661 When the IP-Port-Type TLV is included within a RADIUS Attribute, the 662 associated attribute is applied to the IP transport protocol as 663 indicated by the Protocol-Number only, such as TCP, UDP, SCTP 664 [RFC4960], DCCP [RFC4340], etc. 666 3.2.2. IP-Port-Limit TLV 668 The format of IP-Port-Limit TLV is shown in Figure 5. This attribute 669 carries IPFIX Information Element "sourceTransportPortsLimit (TBAx1), 670 which indicates the maximum number of IP transport ports as a limit 671 for an end user to use that is associated with one or more IPv4 or 672 IPv6 addresses. 674 0 1 2 3 675 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 676 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 677 | TLV-Type | Length | sourceTransportPortsLimit 678 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 679 sourceTransportPortsLimit | 680 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 682 Figure 5 684 TLV-Type 686 2 688 Length 690 6 692 sourceTransportPortsLimit 694 Integer. This field contains the data (unsigned16) of 695 sourceTransportPortsLimit (TBAx1) defined in IPFIX, right 696 justified, and the unused bits in this field MUST be set to zero. 698 IP-Port-Limit TLV MUST be included as part of the IP-Port-Limit-Info 699 Attribute (refer to Section 3.1.1), identified as 241.TBD1.2. 701 3.2.3. IP-Port-Ext-IPv4-Addr TLV 703 The format of IP-Port-Ext-IPv4-Addr TLV is shown in Figure 6. This 704 attribute carries IPFIX Information Element 225, 705 "postNATSourceIPv4Address", which is the IPv4 source address after 706 NAT operation (refer to [IPFIX]). 708 0 1 2 3 709 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 710 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 711 | TLV-Type | Length | postNATSourceIPv4Address 712 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 713 postNATSourceIPv4Address | 714 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 716 Figure 6 718 TLV-Type 720 3 722 Length 724 6 726 postNATSourceIPv4Address 728 Integer. This field contains the data (ipv4Address) of 729 postNATSourceIPv4Address (225) defined in IPFIX. 731 IP-Port-Ext-IPv4-Addr TLV MAY be included in the following 732 Attributes: 734 o IP-Port-Limit-Info Attribute, identified as 241.TBD1.3 (see 735 Section 3.1.1). 737 o IP-Port-Range Attribute, identified as 241.TBD2.3 (see 738 Section 3.1.2). 740 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.3 741 (see Section 3.1.3). 743 3.2.4. IP-Port-Int-IPv4-Addr TLV 745 The format of IP-Port-Int-IPv4 TLV is shown in Figure 7. This 746 attribute carries IPFIX Information Element 8, "sourceIPv4Address", 747 which is the IPv4 source address before NAT operation (refer to 748 [IPFIX]). 750 0 1 2 3 751 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 752 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 753 | TLV-Type | Length | sourceIPv4Address 754 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 755 sourceIPv4Address | 756 +-+--+-+-+-+-+-+-++-+-+-+-+-+-+-+ 758 Figure 7 760 TLV-Type 762 4 764 Length 766 6 768 sourceIPv4Address 770 Integer. This field contains the data (ipv4Address) of 771 sourceIPv4Address (8) defined in IPFIX. 773 If the internal realm is with IPv4 address family, the IP-Port-Int- 774 IPv4-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map 775 Attribute (refer to Section 3.1.3), identified as 241.TBD3.4. 777 3.2.5. IP-Port-Int-IPv6-Addr TLV 779 The format of IP-Port-Int-IPv6-Addr TLV is shown in Figure 8. This 780 attribute carries IPFIX Information Element 27, "sourceIPv6Address", 781 which is the IPv6 source address before NAT operation (refer to 782 [IPFIX]). 784 0 1 2 3 785 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 786 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 787 | TLV-Type | Length | sourceIPv6Address 788 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 789 sourceIPv6Address 790 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 791 sourceIPv6Address 792 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 793 sourceIPv6Address 794 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 795 sourceIPv6Address | 796 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 798 Figure 8 800 TLV-Type 802 5 804 Length 806 18 808 sourceIPv6Address 810 IPv6 address (128 bits). This field contains the data 811 (ipv6Address) of sourceIPv6Address (27) defined in IPFIX. 813 If the internal realm is with IPv6 address family, the IP-Port-Int- 814 IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map 815 Attribute (refer to Section 3.1.3), identified as 241.TBD3.5. 817 3.2.6. IP-Port-Int-Port TLV 819 The format of IP-Port-Int-Port TLV is shown in Figure 9. This 820 attribute carries IPFIX Information Element 7, "sourceTransportPort", 821 which is the source transport number associated with an internal IPv4 822 or IPv6 address (refer to [IPFIX]). The attribute is encoded in 32 823 bits as per the recommendation in Appendix A.2.1 of [RFC6158]. 825 0 1 2 3 826 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 827 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 828 | TLV-Type | Length | sourceTransportPort 829 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 830 sourceTransportPort | 831 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 833 Figure 9 835 TLV-Type 837 6 839 Length 841 6 843 sourceTransportPort 845 Integer. This field contains the data (unsigned16) of 846 sourceTrasnportPort (7) defined in IPFIX, right justified, and 847 unused bits MUST be set to zero. 849 IP-Port-Int-Port TLV MUST be included as part of the IP-Port- 850 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 851 241.TBD3.6. 853 3.2.7. IP-Port-Ext-Port TLV 855 The format of IP-Port-Ext-Port TLV is shown in Figure 10. This 856 attribute carries IPFIX Information Element 227, 857 "postNAPTSourceTransportPort", which is the transport number 858 associated with an external IPv4 address(refer to [IPFIX]). The 859 attribute is encoded in 32 bits as per the recommendation in 860 Appendix A.2.1 of [RFC6158]. 862 0 1 2 3 863 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 864 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 865 | TLV-Type | Length | postNAPTSourceTransportPort 866 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 867 postNAPTSourceTransportPort | 868 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 870 Figure 10 872 TLV-Type 874 7 876 Length 878 6 880 postNAPTSourceTransportPort 882 Integer. This field contains the data (unsigned16) of 883 postNAPTSourceTrasnportPort (227) defined in IPFIX, right 884 justified, and unused bits MUST be set to zero. 886 IP-Port-Ext-Port TLV MUST be included as part of the IP-Port- 887 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 888 241.TBD3.7. 890 3.2.8. IP-Port-Alloc TLV 892 The format of IP-Port-Alloc TLV is shown in Figure 11. This 893 attribute carries IPFIX Information Element 230, "natEvent", which is 894 a flag to indicate an action of NAT operation (refer to [IPFIX]). 896 When the value of natEvent is "1" (Create event), it means to 897 allocate a range of transport ports; when the value is "2", it means 898 to deallocate a range of transports ports. For the purpose of this 899 TLV, no other value is used. 901 0 1 2 3 902 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 903 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 904 | TLV-Type | Length | natEvent 905 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 906 natEvent | 907 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 909 Figure 11 911 TLV-Type 913 8 915 Length 917 6 919 natEvent 921 Integer. This field contains the data (unsigned8) of natEvent 922 (230) defined in IPFIX, right justified, and unused bits MUST be 923 set to zero. It indicates the allocation or deallocation of a 924 range of IP ports as follows: 926 1: 928 Allocation 930 2: 932 Deallocation 934 Reserved: 936 0. 938 IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range 939 Attribute (refer to Section 3.1.2), identified as 241.TBD2.8. 941 3.2.9. IP-Port-Range-Start TLV 943 The format of IP-Port-Range-Start TLV is shown in Figure 12. This 944 attribute carries IPFIX Information Element 361, "portRangeStart", 945 which is the smallest port number of a range of contiguous transport 946 ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per 947 the recommendation in Appendix A.2.1 of [RFC6158]. 949 0 1 2 3 950 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 951 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 952 | TLV-Type | Length | portRangeStart 953 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 954 portRangeStart | 955 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 957 Figure 12 959 TLV-Type 961 9 963 Length 964 6 966 portRangeStart 968 Integer. This field contains the data (unsigned16) of (361) 969 defined in IPFIX, right justified, and unused bits MUST be set to 970 zero. 972 IP-Port-Range-Start TLV is included as part of the IP-Port-Range 973 Attribute (refer to Section 3.1.2), identified as 241.TBD2.9. 975 3.2.10. IP-Port-Range-End TLV 977 The format of IP-Port-Range-End TLV is shown in Figure 13. This 978 attribute carries IPFIX Information Element 362, "portRangeEnd", 979 which is the largest port number of a range of contiguous transport 980 ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per 981 the recommendation in Appendix A.2.1 of [RFC6158]. 983 0 1 2 3 984 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 985 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 986 | TLV-Type | Length | portRangeEnd 987 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 988 portRangeEnd | 989 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 991 Figure 13 993 TLV-Type 995 10 997 Length 999 6 1001 portRangeEnd 1003 Integer. This field contains the data (unsigned16) of (362) 1004 defined in IPFIX, right justified, and unused bits MUST be set to 1005 zero. 1007 IP-Port-Range-End TLV is included as part of the IP-Port-Range 1008 Attribute (refer to Section 3.1.2), identified as 241.TBD2.10. 1010 3.2.11. IP-Port-Local-Id TLV 1012 The format of IP-Port-Local-Id TLV is shown in Figure 14. This 1013 attribute carries a string called "localID", which is a local 1014 significant identifier as explained below. 1016 The primary issue addressed by this TLV is that there are CGN 1017 deployments that do not distinguish internal hosts by their internal 1018 IP address alone, but use further identifiers for unique subscriber 1019 identification. For example, this is the case if a CGN supports 1020 overlapping private or shared IP address spaces (refer to [RFC1918] 1021 and [RFC6598]) for internal hosts of different subscribers. In such 1022 cases, different internal hosts are identified and mapped at the CGN 1023 by their IP address and/or another identifier, for example, the 1024 identifier of a tunnel between the CGN and the subscriber. In these 1025 scenarios (and similar ones), the internal IP address is not 1026 sufficient to demultiplex connections from internal hosts. An 1027 additional identifier needs to be present in the IP-Port-Range 1028 Attribute and IP-Port-Forwarding-Mapping Attribute in order to 1029 uniquely identify an internal host. The IP-Port-Local-Id TLV is used 1030 to carry this identifier. 1032 0 1 2 3 1033 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1034 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1035 | TLV-Type | Length | localID .... 1036 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1038 Figure 14 1040 TLV-Type 1042 11 1044 Length 1046 Variable number of bytes. 1048 localID 1050 string. The data type of this field is string (refer to 1051 [I-D.ietf-radext-datatypes]). This field contains the data that 1052 is a local session identifier at the customer premise, such as MAC 1053 address, interface ID, VLAN ID, PPP sessions ID, VRF ID, IP 1054 address/prefix, etc. 1056 IP-Port-Local-Id TLV MAY be included in the following Attributes: 1058 o IP-Port-Range Attribute, identified as 241.TBD2.11 (see 1059 Section 3.1.2). 1061 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.11 1062 (see Section 3.1.3). 1064 4. Applications, Use Cases and Examples 1066 This section describes some applications and use cases to illustrate 1067 the use of the attributes proposed in this document. 1069 4.1. Managing CGN Port Behavior using RADIUS 1071 In a broadband network, customer information is usually stored on a 1072 RADIUS server, and the BNG acts as a NAS. The communication between 1073 the NAS and the RADIUS server is triggered by a user when it signs in 1074 to the Internet service, where either PPP or DHCP/DHCPv6 is used. 1075 When a user signs in, the NAS sends a RADIUS Access-Request message 1076 to the RADIUS server. The RADIUS server validates the request, and 1077 if the validation succeeds, it in turn sends back a RADIUS Access- 1078 Accept message. The Access-Accept message carries configuration 1079 information specific to that user, back to the NAS, where some of the 1080 information would pass on to the requesting user via PPP or DHCP/ 1081 DHCPv6. 1083 A CGN function in a broadband network is most likely be co-located on 1084 a BNG. In that case, parameters for CGN port mapping behavior for 1085 users can be configured on the RADIUS server. When a user signs in 1086 to the Internet service, the associated parameters can be conveyed to 1087 the NAS, and proper configuration is accomplished on the CGN device 1088 for that user. 1090 Also, CGN operation status such as CGN port allocation and 1091 deallocation for a specific user on the BNG can also be transmitted 1092 back to the RADIUS server for accounting purpose using the RADIUS 1093 protocol. 1095 RADIUS protocol has already been widely deployed in broadband 1096 networks to manage BNG, thus the functionality described in this 1097 specification introduces little overhead to the existing network 1098 operation. 1100 In the following sub-sections, we describe how to manage CGN behavior 1101 using RADIUS protocol, with required RADIUS extensions proposed in 1102 Section 3. 1104 4.1.1. Configure IP Port Limit for a User 1106 In the face of IPv4 address shortage, there are currently proposals 1107 to multiplex multiple users' connections over a number of shared IPv4 1108 addresses, such as Carrier Grade NAT [RFC6888], Dual-Stack Lite 1109 [RFC6333], NAT64 [RFC6146], etc. As a result, a single IPv4 public 1110 address may be shared by hundreds or even thousands of users. As 1111 indicated in [RFC6269], it is therefore necessary to impose limits on 1112 the total number of ports available to an individual user to ensure 1113 that the shared resource, i.e., the IPv4 address, remains available 1114 in some capacity to all the users using it. The support of IP port 1115 limit is also documented in [RFC6888] as a requirement for CGN. 1117 The IP port limit imposed to an end user may be on the total number 1118 of IP source transport ports, or a specific IP transport protocol as 1119 defined in Section 3.1.1. 1121 The per-user based IP port limit is configured on a RADIUS server, 1122 along with other user information such as credentials. 1124 When a user signs in to the Internet service successfully, the IP 1125 port limit for the subscriber is passed by the RADIUS server to the 1126 BNG, acting as a NAS and co-located with the CGN, using the IP-Port- 1127 Limit-Info RADIUS attribute (defined in Section 3.1.1), along with 1128 other configuration parameters. While some parameters are passed to 1129 the user, the IP port limit is recorded on the CGN device for 1130 imposing the usage of IP transport ports for that user. 1132 Figure 15 illustrates how RADIUS protocol is used to configure the 1133 maximum number of TCP/UDP ports for a given user on a CGN device. 1135 User CGN/NAS AAA 1136 | BNG Server 1137 | | | 1138 | | | 1139 |----Service Request------>| | 1140 | | | 1141 | |-----Access-Request -------->| 1142 | | | 1143 | |<----Access-Accept-----------| 1144 | | (IP-Port-Limit-Info) | 1145 | | (for TCP/UDP ports) | 1146 |<---Service Granted ------| | 1147 | (other parameters) | | 1148 | | | 1149 | (CGN external port | 1150 | allocation and | 1151 | IPv4 address assignment) | 1152 | | | 1154 Figure 15: RADIUS Message Flow for Configuring CGN Port Limit 1156 The IP port limit created on a CGN device for a specific user using 1157 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 1158 that carries the same RADIUS attribute. The CoA message may be sent 1159 from the RADIUS server directly to the NAS, which once accepts and 1160 sends back a RADIUS CoA ACK message, the new IP port limit replaces 1161 the previous one. 1163 Figure 16 illustrates how RADIUS protocol is used to increase the 1164 TCP/UDP port limit from 1024 to 2048 on a CGN device for a specific 1165 user. 1167 User CGN/NAS AAA 1168 | BNG Server 1169 | | | 1170 | TCP/UDP Port Limit (1024) | 1171 | | | 1172 | |<---------CoA Request----------| 1173 | | (IP-Port-Limit-Info) | 1174 | | (for TCP/UDP ports) | 1175 | | | 1176 | TCP/UDP Port Limit (2048) | 1177 | | | 1178 | |---------CoA Response--------->| 1179 | | | 1181 Figure 16: RADIUS Message Flow for changing a user's CGN port limit 1183 4.1.2. Report IP Port Allocation/Deallocation 1185 Upon obtaining the IP port limit for a user, the CGN device needs to 1186 allocate an IP transport port for the user when receiving a new IP 1187 flow sent from that user. 1189 As one practice, a CGN may allocate a block of IP ports for a 1190 specific user, instead of one port at a time, and within each port 1191 block, the ports may be randomly distributed or in consecutive 1192 fashion. When a CGN device allocates a block of transport ports, the 1193 information can be easily conveyed to the RADIUS server by a new 1194 RADIUS attribute called the IP-Port-Range (defined in Section 3.1.2). 1195 The CGN device may allocate one or more IP port ranges, where each 1196 range contains a set of numbers representing IP transport ports, and 1197 the total number of ports MUST be less or equal to the associated IP 1198 port limit imposed for that user. A CGN device may choose to 1199 allocate a small port range, and allocate more at a later time as 1200 needed; such practice is good because its randomization in nature. 1202 At the same time, the CGN device also needs to decide the shared IPv4 1203 address for that user. The shared IPv4 address and the pre-allocated 1204 IP port range are both passed to the RADIUS server. 1206 When a user initiates an IP flow, the CGN device randomly selects a 1207 transport port number from the associated and pre-allocated IP port 1208 range for that user to replace the original source port number, along 1209 with the replacement of the source IP address by the shared IPv4 1210 address. 1212 A CGN device may decide to "free" a previously assigned set of IP 1213 ports that have been allocated for a specific user but not currently 1214 in use, and with that, the CGN device must send the information of 1215 the deallocated IP port range along with the shared IPv4 address to 1216 the RADIUS server. 1218 Figure 17 illustrates how RADIUS protocol is used to report a set of 1219 ports allocated and deallocated, respectively, by a NAT64 device for 1220 a specific user to the RADIUS server. 1222 Host NAT64/NAS AAA 1223 | BNG Server 1224 | | | 1225 | | | 1226 |----Service Request------>| | 1227 | | | 1228 | |-----Access-Request -------->| 1229 | | | 1230 | |<----Access-Accept-----------| 1231 |<---Service Granted ------| | 1232 | (other parameters) | | 1233 ... ... ... 1234 | | | 1235 | | | 1236 | (NAT64 decides to allocate | 1237 | a TCP/UDP port range for the user) | 1238 | | | 1239 | |-----Accounting-Request----->| 1240 | | (IP-Port-Range | 1241 | | for allocation) | 1242 ... ... ... 1243 | | | 1244 | (NAT64 decides to deallocate | 1245 | a TCP/UDP port range for the user) | 1246 | | | 1247 | |-----Accounting-Request----->| 1248 | | (IP-Port-Range | 1249 | | for deallocation) | 1250 | | | 1252 Figure 17: RADIUS Message Flow for reporting NAT64 allocation/ 1253 deallocation of a port set 1255 4.1.3. Configure Forwarding Port Mapping 1257 In most scenarios, the port mapping on a NAT device is dynamically 1258 created when the IP packets of an IP connection initiated by a user 1259 arrives. For some applications, the port mapping needs to be pre- 1260 defined allowing IP packets of applications from outside a CGN device 1261 to pass through and "port forwarded" to the correct user located 1262 behind the CGN device. 1264 Port Control Protocol [RFC6887], provides a mechanism to create a 1265 mapping from an external IP address and port to an internal IP 1266 address and port on a CGN device just to achieve the "port 1267 forwarding" purpose. PCP is a server-client protocol capable of 1268 creating or deleting a mapping along with a rich set of features on a 1269 CGN device in dynamic fashion. In some deployment, all users need is 1270 a few, typically just one pre-configured port mapping for 1271 applications such as web cam at home, and the lifetime of such a port 1272 mapping remains valid throughout the duration of the customer's 1273 Internet service connection time. In such an environment, it is 1274 possible to statically configure a port mapping on the RADIUS server 1275 for a user and let the RADIUS protocol to propagate the information 1276 to the associated CGN device. 1278 Note that this document targets deployments where a AAA server is 1279 responsible de instructing NAT mappings for a given subscriber and 1280 does not make any assumption about the host's capabilities with 1281 regards to port forwarding control. This deployment is complementary 1282 to PCP given that PCP targets a different deployment model where an 1283 application (on the host) controls its mappings in an upstream CPE, 1284 CGN, firewall, etc. 1286 Figure 18 illustrates how RADIUS protocol is used to configure a 1287 forwarding port mapping on a NAT44 device by using RADIUS protocol. 1289 Host CGN/NAS AAA 1290 | BNG Server 1291 | | | 1292 |----Service Request------>| | 1293 | | | 1294 | |---------Access-Request------->| 1295 | | | 1296 | |<--------Access-Accept---------| 1297 | | (IP-Port-Forwarding-Map) | 1298 |<---Service Granted ------| | 1299 | (other parameters) | | 1300 | | | 1301 | (Create a port mapping | 1302 | for the user, and | 1303 | associate it with the | 1304 | internal IP address | 1305 | and external IP address) | 1306 | | | 1307 | | | 1308 | |------Accounting-Request------>| 1309 | | (IP-Port-Forwarding-Map) | 1311 Figure 18: RADIUS Message Flow for configuring a forwarding port 1312 mapping 1314 A port forwarding mapping that is created on a CGN device using 1315 RADIUS extension as described above may also be changed using RADIUS 1316 CoA message [RFC5176] that carries the same RADIUS association. The 1317 CoA message may be sent from the RADIUS server directly to the NAS, 1318 which once accepts and sends back a RADIUS CoA ACK message, the new 1319 port forwarding mapping then replaces the previous one. 1321 Figure 19 illustrates how RADIUS protocol is used to change an 1322 existing port mapping from (a:X) to (a:Y), where "a" is an internal 1323 port, and "X" and "Y" are external ports, respectively, for a 1324 specific user with a specific IP address 1326 Host CGN/NAS AAA 1327 | BNG Server 1328 | | | 1329 | Internal IP Address | 1330 | Port Map (a:X) | 1331 | | | 1332 | |<---------CoA Request----------| 1333 | | (IP-Port-Forwarding-Map) | 1334 | | | 1335 | Internal IP Address | 1336 | Port Map (a:Y) | 1337 | | | 1338 | |---------CoA Response--------->| 1339 | | (IP-Port-Forwarding-Map) | 1341 Figure 19: RADIUS Message Flow for changing a user's forwarding port 1342 mapping 1344 4.1.4. An Example 1346 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 1347 user Joe. This number is the limit that can be used for TCP/UDP ports 1348 on a CGN device for Joe, and is configured on a RADIUS server. Also, 1349 Joe asks for a pre-defined port forwarding mapping on the CGN device 1350 for his web cam applications (external port 5000 maps to internal 1351 port 1234). 1353 When Joe successfully connects to the Internet service, the RADIUS 1354 server conveys the TCP/UDP port limit (500) and the forwarding port 1355 mapping (external port 5000 to internal port 1234) to the CGN device, 1356 using IP-Port-Limit-Info Attribute and IP-Port-Forwarding-Map 1357 attribute, respectively, carried by an Access-Accept message to the 1358 BNG where NAS and CGN co-located. 1360 Upon receiving the first outbound IP packet sent from Joe's laptop, 1361 the CGN device decides to allocate a small port pool that contains 40 1362 consecutive ports, from 3500 to 3540, inclusively, and also assign a 1363 shared IPv4 address 192.0.2.15, for Joe. The CGN device also randomly 1364 selects one port from the allocated range (say 3519) and use that 1365 port to replace the original source port in outbound IP packets. 1367 For accounting purpose, the CGN device passes this port range 1368 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 1369 RADIUS server using IP-Port-Range attribute carried by an Accounting- 1370 Request message. 1372 When Joe works on more applications with more outbound IP mappings 1373 and the port pool (3500-3540) is close to exhaust, the CGN device 1374 allocates a second port pool (8500-8800) in a similar fashion, and 1375 also passes the new port range (8500-8800) and IPv4 address 1376 192.0.2.15 together to the RADIUS server using IP-Port-Range 1377 attribute carried by an Accounting-Request message. Note when the 1378 CGN allocates more ports, it needs to assure that the total number of 1379 ports allocated for Joe is within the limit. 1381 Joe decides to upgrade his service agreement with more TCP/UDP ports 1382 allowed (up to 1000 ports). The ISP updates the information in Joe's 1383 profile on the RADIUS server, which then sends a CoA-Request message 1384 that carries the IP-Port-Limit-Info Attribute with 1000 ports to the 1385 CGN device; the CGN device in turn sends back a CoA-ACK message. 1386 With that, Joe enjoys more available TCP/UDP ports for his 1387 applications. 1389 When Joe is not using his service, most of the IP mappings are closed 1390 with their associated TCP/UDP ports released on the CGN device, which 1391 then sends the relevant information back to the RADIUS server using 1392 IP-Port-Range attribute carried by Accounting-Request message. 1394 Throughout Joe's connection with his ISP Internet service, 1395 applications can communicate with his web cam at home from external 1396 realm directly traversing the pre-configured mapping on the CGN 1397 device. 1399 When Joe disconnects from his Internet service, the CGN device will 1400 deallocate all TCP/UDP ports as well as the port-forwarding mapping, 1401 and send the relevant information to the RADIUS server. 1403 4.2. Report Assigned Port Set for a Visiting UE 1405 Figure 20 illustrates an example of the flow exchange which occurs 1406 when a visiting User Equipment (UE) connects to a CPE offering WLAN 1407 service. 1409 For identification purposes (see [RFC6967]), once the CPE assigns a 1410 port set, it issues a RADIUS message to report the assigned port set. 1412 UE CPE CGN AAA 1413 | BNG Server 1414 | | | 1415 | | | 1416 |----Service Request------>| | 1417 | | | 1418 | |-----Access-Request -------->| 1419 | | | 1420 | |<----Access-Accept-----------| 1421 |<---Service Granted ------| | 1422 | (other parameters) | | 1423 ... | ... ... 1424 |<---IP@----| | | 1425 | | | | 1426 | (CPE assigns a TCP/UDP port | 1427 | range for this visiting UE) | 1428 | | | 1429 | |--Accounting-Request-...------------------->| 1430 | | (IP-Port-Range | 1431 | | for allocation) | 1432 ... | ... ... 1433 | | | | 1434 | | | | 1435 | (CPE withdraws a TCP/UDP port | 1436 | range for a visiting UE) | 1437 | | | 1438 | |--Accounting-Request-...------------------->| 1439 | | (IP-Port-Range | 1440 | | for deallocation) | 1441 | | | 1443 Figure 20: RADIUS Message Flow for reporting CPE allocation/ 1444 deallocation of a port set to a visiting UE 1446 5. Table of Attributes 1448 This document proposes three new RADIUS attributes and their formats 1449 are as follows: 1451 o IP-Port-Limit-Info: 241.TBD1. 1453 o IP-Port-Range: 241.TBD2. 1455 o IP-Port-Forwarding-Map: 241.TBD3. 1457 Note to IANA: it is assumed that Extended-Type-1 "241" will be used 1458 for these attributes. 1460 The following table provides a guide as what type of RADIUS packets 1461 that may contain these attributes, and in what quantity. 1463 Request Accept Reject Challenge Acct. # Attribute 1464 Request 1465 0+ 0+ 0 0 0+ TBA IP-Port-Limit-Info 1466 0 0 0 0 0+ TBA IP-Port-Range 1467 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map 1469 The following table defines the meaning of the above table entries. 1471 0 This attribute MUST NOT be present in packet. 1472 0+ Zero or more instances of this attribute MAY be present in packet. 1474 6. Security Considerations 1476 This document does not introduce any security issue other than the 1477 ones already identified in RADIUS [RFC2865] and [RFC5176] for CoA 1478 messages. Known RADIUS vulnerabilities apply to this specification. 1479 For example, if RADIUS packets are sent in the clear, an attacker in 1480 the communication path between the RADIUS client and server may glean 1481 information that it will use to prevent a legitimate user to access 1482 the service by appropriately setting the maximum number of IP ports 1483 conveyed in an IP-Port-Limit-Info Attribute, exhaust the port quota 1484 of a user by installing many mapping entries (IP-Port-Forwarding-Map 1485 Attribute), prevent incoming traffic to be delivered to its 1486 legitimate destination by manipulating the mapping entries installed 1487 by means of an IP-Port-Forwarding-Map Attribute, discover the IP 1488 address and port range assigned to a given user and which is reported 1489 in an IP-Port-Range Attribute, etc. The root cause of these attack 1490 vectors is the communication between the RADIUS client and server. 1492 The IP-Port-Local-Id TLV includes an identifier of which the type and 1493 length is deployment and implementation dependent. This identifier 1494 might carry privacy sensitive information. It is therefore 1495 RECOMMENDED to utilize identifiers that do not have such privacy 1496 concerns. 1498 This document targets deployments where a trusted relationship is in 1499 place between the RADIUS client and server with communication 1500 optionally secured by IPsec or Transport Layer Security (TLS) 1501 [RFC6614]. 1503 7. IANA Considerations 1505 This document requires new code point assignments for both IPFIX 1506 Information Elements and RADIUS attributes as explained in the 1507 following sub-sections. 1509 It is assumed that Extended-Type-1 "241" will be used for RADIUS 1510 attributes in Section 7.2. 1512 7.1. IANA Considerations on New IPFIX Information Elements 1514 The following is a new IPFIX Information Element as requested by this 1515 document (refer to Section 3.2.2) : 1517 o sourceTransportPortsLimit: 1519 * Name: sourceTransportPortsLimit. 1521 * Element ID: TBAx1. 1523 * Description: This Information Element contains the maximum 1524 number of IP source transport ports that can be used by an end 1525 user when sending IP packets; each user is associated with one 1526 or more (source) IPv4 or IPv6 addresses. This IE is 1527 particularly useful in address sharing deployments that adhere 1528 to REQ-4 of [RFC6888]. Limiting the number of ports assigned 1529 to each user ensures fairness among users and mitigates the 1530 denial-of-service attack that a user could launch against other 1531 users through the address sharing device in order to grab more 1532 ports. 1534 * Data type: unsigned16. 1536 * Data type semantics: totalCounter. 1538 * Data type unit: ports. 1540 * Data value range: from 1 to 65535. 1542 7.2. IANA Considerations on New RADIUS Attributes 1544 The authors request that Attribute Types and Attribute Values defined 1545 in this document be registered by the Internet Assigned Numbers 1546 Authority (IANA) from the RADIUS namespaces as described in the "IANA 1547 Considerations" section of [RFC3575], in accordance with BCP 26 1548 [RFC5226]. For RADIUS packets, attributes and registries created by 1549 this document IANA is requested to place them at 1550 http://www.iana.org/assignments/radius-types. 1552 In particular, this document defines three new RADIUS attributes, 1553 entitled "IP-Port-Limit-Info" (see Section 3.1.1), "IP-Port-Range" 1554 (see Section 3.1.2) and "IP-Port-Forwarding-Map" (see Section 3.1.3), 1555 with assigned values of 241.TBD1, 241.TBD2 and 241.TBD3 from the 1556 Short Extended Space of [RFC6929]: 1558 Type Name Meaning 1559 ---- ---- ------- 1560 241.TBD1 IP-Port-Limit-Info see Section 3.1.1 1561 241.TBD2 IP-Port-Range see Section 3.1.2 1562 241.TBD3 IP-Port-Forwarding-Map see Section 3.1.3 1564 7.3. IANA Considerations on New RADIUS TLVs 1566 This specification requests allocation of the following TLVs: 1568 Name Value Meaning 1569 ---- ----- ------- 1570 IP-Port-Type 1 see Section 3.2.1 1571 IP-Port-Limit 2 see Section 3.2.2 1572 IP-Port-Ext-IPv4-Addr 3 see Section 3.2.3 1573 IP-Port-Int-IPv4-Addr 4 see Section 3.2.4 1574 IP-Port-Int-IPv6-Addr 5 see Section 3.2.5 1575 IP-Port-Int-Port 6 see Section 3.2.6 1576 IP-Port-Ext-Port 7 see Section 3.2.7 1577 IP-Port-Alloc 8 see Section 3.2.8 1578 IP-Port-Range-Start 9 see Section 3.2.9 1579 IP-Port-Range-End 10 see Section 3.2.10 1580 IP-Port-Local-Id 11 see Section 3.2.11 1582 8. Acknowledgements 1584 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 1585 Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful 1586 comments and suggestions. 1588 Special thanks to Lionel Morand for the Shepherd review and to 1589 Kathleen Moriarty for the AD review. 1591 Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed 1592 review. 1594 9. References 1596 9.1. Normative References 1598 [I-D.ietf-radext-datatypes] 1599 DeKok, A., "Data Types in the Remote Authentication Dial- 1600 In User Service Protocol (RADIUS)", draft-ietf-radext- 1601 datatypes-07 (work in progress), August 2016. 1603 [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", 1604 . 1606 [ProtocolNumbers] 1607 IANA, "Protocol Numbers", 1608 . 1611 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1612 Requirement Levels", BCP 14, RFC 2119, 1613 DOI 10.17487/RFC2119, March 1997, 1614 . 1616 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1617 "Remote Authentication Dial In User Service (RADIUS)", 1618 RFC 2865, DOI 10.17487/RFC2865, June 2000, 1619 . 1621 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote 1622 Authentication Dial In User Service)", RFC 3575, 1623 DOI 10.17487/RFC3575, July 2003, 1624 . 1626 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1627 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1628 DOI 10.17487/RFC5226, May 2008, 1629 . 1631 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1632 Service (RADIUS) Protocol Extensions", RFC 6929, 1633 DOI 10.17487/RFC6929, April 2013, 1634 . 1636 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 1637 for IP Flow Information Export (IPFIX)", RFC 7012, 1638 DOI 10.17487/RFC7012, September 2013, 1639 . 1641 9.2. Informative References 1643 [I-D.gundavelli-v6ops-community-wifi-svcs] 1644 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1645 "Service Provider Wi-Fi Services Over Residential 1646 Architectures", draft-gundavelli-v6ops-community-wifi- 1647 svcs-06 (work in progress), April 2013. 1649 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 1650 and E. Lear, "Address Allocation for Private Internets", 1651 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 1652 . 1654 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1655 Address Translator (Traditional NAT)", RFC 3022, 1656 DOI 10.17487/RFC3022, January 2001, 1657 . 1659 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1660 Congestion Control Protocol (DCCP)", RFC 4340, 1661 DOI 10.17487/RFC4340, March 2006, 1662 . 1664 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1665 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1666 . 1668 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1669 Aboba, "Dynamic Authorization Extensions to Remote 1670 Authentication Dial In User Service (RADIUS)", RFC 5176, 1671 DOI 10.17487/RFC5176, January 2008, 1672 . 1674 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1675 NAT64: Network Address and Protocol Translation from IPv6 1676 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1677 April 2011, . 1679 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 1680 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 1681 . 1683 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 1684 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 1685 DOI 10.17487/RFC6269, June 2011, 1686 . 1688 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1689 Stack Lite Broadband Deployments Following IPv4 1690 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 1691 . 1693 [RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and 1694 M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address 1695 Space", BCP 153, RFC 6598, DOI 10.17487/RFC6598, April 1696 2012, . 1698 [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, 1699 "Transport Layer Security (TLS) Encryption for RADIUS", 1700 RFC 6614, DOI 10.17487/RFC6614, May 2012, 1701 . 1703 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1704 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1705 DOI 10.17487/RFC6887, April 2013, 1706 . 1708 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1709 A., and H. Ashida, "Common Requirements for Carrier-Grade 1710 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1711 April 2013, . 1713 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1714 "Analysis of Potential Solutions for Revealing a Host 1715 Identifier (HOST_ID) in Shared Address Deployments", 1716 RFC 6967, DOI 10.17487/RFC6967, June 2013, 1717 . 1719 [TR-146] Broadband Forum, "TR-146: Subscriber Sessions", 1720 . 1723 Authors' Addresses 1725 Dean Cheng 1726 Huawei 1727 2330 Central Expressway 1728 Santa Clara, California 95050 1729 USA 1731 Email: dean.cheng@huawei.com 1733 Jouni Korhonen 1734 Broadcom Corporation 1735 3151 Zanker Road 1736 San Jose 95134 1737 USA 1739 Email: jouni.nospam@gmail.com 1741 Mohamed Boucadair 1742 Orange 1743 Rennes 1744 France 1746 Email: mohamed.boucadair@orange.com 1747 Senthil Sivakumar 1748 Cisco Systems 1749 7100-8 Kit Creek Road 1750 Research Triangle Park, North Carolina 1751 USA 1753 Email: ssenthil@cisco.com