idnits 2.17.1 draft-ietf-radext-ip-port-radius-ext-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 21, 2016) is 2744 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'ProtocolNumbers' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: April 24, 2017 Broadcom Corporation 6 M. Boucadair 7 Orange 8 S. Sivakumar 9 Cisco Systems 10 October 21, 2016 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-ietf-radext-ip-port-radius-ext-15 15 Abstract 17 This document defines three new RADIUS attributes. For devices that 18 implement IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report IP transport 20 ports, as well as mapping behavior for specific hosts. This 21 mechanism can be used in various deployment scenarios such as 22 Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. 23 This document defines a mapping between some RADIUS attributes and 24 IPFIX Information Element Identifiers. 26 Requirements Language 28 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 29 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 30 document are to be interpreted as described in RFC 2119 [RFC2119]. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at http://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on April 24, 2017. 49 Copyright Notice 51 Copyright (c) 2016 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 69 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 70 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 71 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 72 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11 73 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 74 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14 75 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15 76 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 16 77 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 78 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 79 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 80 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19 81 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20 82 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21 83 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22 84 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22 85 4. Applications, Use Cases and Examples . . . . . . . . . . . . 24 86 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24 87 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 88 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 89 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28 90 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30 91 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31 92 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32 93 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 94 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 95 7.1. IANA Considerations on New IPFIX Information 96 Elements . . . . . . . . . . . . . . . . . . . . . . . . 34 98 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34 99 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35 100 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 101 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 102 9.1. Normative References . . . . . . . . . . . . . . . . . . 36 103 9.2. Informative References . . . . . . . . . . . . . . . . . 37 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 106 1. Introduction 108 In a broadband network, customer information is usually stored on a 109 RADIUS server [RFC2865]. At the time when a user initiates an IP 110 connection request, if this request is authorized, the RADIUS server 111 will populate the user's configuration information to the Network 112 Access Server (NAS), which is often referred to as a Broadband 113 Network Gateway (BNG) in broadband access networks. The Carrier- 114 Grade NAT (CGN) function may also be implemented on the BNG. Within 115 this document, the CGN may perform NAT44 [RFC3022], NAT64 [RFC6146], 116 or Dual-Stack Lite AFTR [RFC6333] function. In such case, the CGN IP 117 transport port (e.g., TCP/UDP port) mapping(s) behavior(s) can be 118 part of the configuration information sent from the RADIUS server to 119 the NAS/BNG. The NAS/BNG may also report to the RADIUS Server the IP 120 port mapping behavior applied by the CGN to a user session to the 121 RADIUS server, as part of the accounting information sent from the 122 NAS/BNG to a RADIUS server. 124 When IP packets traverse the CGN, it performs mapping on the IP 125 transport (e.g., TCP/UDP) source port as required. An IP transport 126 source port, along with source IP address, destination IP address, 127 destination port and protocol identifier if applicable, uniquely 128 identify a mapping. Since the number space of IP transport ports in 129 CGN's external realm is shared among multiple users assigned with the 130 same IPv4 address, the total number of a user's simultaneous IP 131 mappings is likely to be subject to port quota (see Section 5 of 132 [RFC6269]). 134 The attributes defined in this document may also be used to report 135 the assigned port range in some deployments such as Provider WLAN 136 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 137 host can be managed by a CPE (Customer Premises Equipment ) which 138 will need to report the assigned port range to the service platform. 139 This is required for identification purposes (see TR-146 [TR-146] for 140 more details). 142 This document proposes three new attributes as RADIUS protocol's 143 extensions, and they are used for separate purposes as follows: 145 1. IP-Port-Limit-Info: This attribute may be carried in a RADIUS 146 Access-Accept, Access-Request, Accounting-Request or CoA-Request 147 packet. The purpose of this attribute is to limit the total 148 number of IP source transport ports allocated to a user, 149 associated with one or more IPv4 or IPv6 addresses. 151 2. IP-Port-Range: This attribute may be carried in a RADIUS 152 Accounting-Request packet. The purpose of this attribute is for 153 an address sharing device (e.g., a CGN) to report to the RADIUS 154 server the range of IP source transport ports that have been 155 allocated or deallocated for a user. The port range is bound to 156 an external IPv4 address. 158 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 159 Access-Accept, Access-Request, Accounting-Request or CoA-Request 160 packet. The purpose of this attribute is to specify how an IP 161 internal source transport port together with its internal IPv4 or 162 IPv6 address are mapped to an external source transport port 163 along with the external IPv4 address. 165 IPFIX Information Elements [RFC7012] can be used for IP flow 166 identification and representation over RADIUS. This document 167 provides a mapping between some RADIUS TLVs and IPFIX Information 168 Element Identifiers. A new IPFIX Information Element is defined by 169 this document (see Section 3.2.2). 171 IP protocol numbers (refer to [ProtocolNumbers]) can be used for 172 identification of IP transport protocols (e.g., TCP [RFC0793], UDP 173 [RFC0768], DCCP [RFC4340], and SCTP [RFC4960]) that are associated 174 with some RADIUS attributes. 176 This document focuses on IPv4 address sharing. IPv6 prefix sharing 177 mechanisms (e.g., NPTv6) are out of scope. 179 2. Terminology 181 This document makes use of the following terms: 183 o IP Port: refers to IP transport port (e.g., TCP port number, UDP 184 port number). 186 o IP Port Type: refers to the IP transport protocol as indicated by 187 the IP transport protocol number, refer to (refer to 188 [ProtocolNumbers]) 190 o IP Port Limit: denotes the maximum number of IP ports for a 191 specific (or all) IP transport protocol(s), that a device 192 supporting port ranges can use when performing port number 193 mappings for a specific user/host. Note, this limit is usually 194 associated with one or more IPv4/IPv6 addresses. 196 o IP Port Range: specifies a set of contiguous IP ports, indicated 197 by the lowest numerical number and the highest numerical number, 198 inclusively. 200 o Internal IP Address: refers to the IP address that is used by a 201 host as a source IP address in an outbound IP packet sent towards 202 a device supporting port ranges in the internal realm. The 203 internal IP address may be IPv4 or IPv6. 205 o External IP Address: refers to the IP address that is used as a 206 source IP address in an outbound IP packet after traversing a 207 device supporting port ranges in the external realm. This 208 document assumes that the external IP address is an IPv4 address. 210 o Internal Port: is an IP transport port, which is allocated by a 211 host or application behind an address sharing device for an 212 outbound IP packet in the internal realm. 214 o External Port: is an IP transport port, which is allocated by an 215 address sharing device upon receiving an outbound IP packet in the 216 internal realm, and is used to replace the internal port that is 217 allocated by a user or application. 219 o External realm: refers to the networking segment where external IP 220 addresses are used as source addresses of outbound packets 221 forwarded by an address sharing device. 223 o Internal realm: refers to the networking segment that is behind an 224 address sharing device and where internal IP addresses are used. 226 o Mapping: denotes a relationship between an internal IP address, 227 internal port and the protocol, and an external IP address, 228 external port, and the protocol. 230 o Address sharing device: a device that is capable of sharing an 231 IPv4 address among multiple users. A typical example of this 232 device is a CGN, CPE, Provider WLAN Gateway, etc. 234 3. Extensions of RADIUS Attributes and TLVs 236 These three new attributes are defined in the following sub-sections: 238 1. IP-Port-Limit-Info Attribute 240 2. IP-Port-Range Attribute 241 3. IP-Port-Forwarding-Map Attribute 243 All these attributes are allocated from the RADIUS "Extended Type" 244 code space per [RFC6929]. 246 These attributes and their embedded TLVs (refer to Section 3.2) are 247 defined with globally unique names and follow the guideline in 248 Section 2.7.1 of [RFC6929]. 250 In all the figures describing the RADIUS attributes and TLV formats 251 in the following sub-sections, the fields are transmitted from left 252 to right. 254 3.1. Extended Attributes for IP Ports 256 3.1.1. IP-Port-Limit-Info Attribute 258 This attribute is of type "TLV" as defined in the RADIUS Protocol 259 Extensions [RFC6929]. It contains some sub-attributes and the 260 requirement is as follows: 262 o The IP-Port-Limit-Info Attribute MAY contain the IP-Port-Type TLV 263 (see Section 3.2.1). 265 o The IP-Port-Limit-Info Attribute MUST contain the IP-Port-Limit 266 TLV (see Section 3.2.2). 268 o The IP-Port-Limit-Info Attribute MAY contain the IP-Port-Ext- 269 IPv4-Addr TLV (see Section 3.2.3). 271 The IP-Port-Limit-Info Attribute specifies the maximum number of IP 272 ports as indicated in IP-Port-Limit TLV, of a specific IP transport 273 protocol as indicated in IP-Port-Type TLV, and associated with a 274 given IPv4 address as indicated in IP-Port-Ext-IPv4-Addr TLV for an 275 end user. 277 Note that when IP-Port-Type TLV is not included as part of the IP- 278 Port-Limit-Info Attribute, the port limit applies to all IP transport 279 protocols. 281 Note also that when IP-Port-Ext-IPv4-Addr TLV is not included as part 282 of the IP-Port-Limit-Info Attribute, the port limit applies to all 283 the IPv4 addresses managed by the address sharing device, e.g., a CGN 284 or NAT64 device. 286 The IP-Port-Limit-Info Attribute MAY appear in an Access-Accept 287 packet. It MAY also appear in an Access-Request packet as a 288 preferred maximum number of IP ports indicated by the device 289 supporting port ranges co-located with the NAS, e.g., a CGN or NAT64. 291 The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet. 293 The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request 294 packet. 296 The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS 297 packet. 299 The format of the IP-Port-Limit-Info Attribute is shown in Figure 1. 301 0 1 2 3 302 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 304 | Type | Length | Extended-Type | Value ... 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 307 Figure 1 309 Type 311 241 (To be confirmed by IANA). 313 Length 315 This field indicates the total length in bytes of all fields of 316 this attribute, including the Type, Length, Extended-Type, and the 317 entire length of the embedded TLVs. 319 Extended-Type 321 TBD1. 323 Value 325 This field contains a set of TLVs as follows: 327 IP-Port-Type TLV 329 This TLV contains a value that indicates the IP port type. 330 Refer to Section 3.2.1. 332 IP-Port-Limit TLV 334 This TLV contains the maximum number of IP ports of a specific 335 IP port type and associated with a given IPv4 address for an 336 end user. This TLV MUST be included in the IP-Port-Limit-Info 337 Attribute. Refer to Section 3.2.2. This limit applies to all 338 mappings that can be instantiated by an underlying address 339 sharing device without soliciting any external entity. In 340 particular, this limit does not include the ports that are 341 instructed by an AAA server. 343 IP-Port-Ext-IPv4-Addr TLV 345 This TLV contains the IPv4 address that is associated with the 346 IP port limit contained in the IP-Port-Limit TLV. This TLV is 347 optionally included as part of the IP-Port-Limit-Info 348 Attribute. Refer to Section 3.2.3. 350 IP-Port-Limit-Info Attribute is associated with the following 351 identifier: 241.Extended-Type(TBD1). 353 3.1.2. IP-Port-Range Attribute 355 This attribute is of type "TLV" as defined in the RADIUS Protocol 356 Extensions [RFC6929]. It contains some sub-attributes and the 357 requirement is as follows: 359 o The IP-Port-Range Attribute MAY contain the IP-Port-Type TLV (see 360 Section 3.2.1). 362 o The IP-Port-Range Attribute MUST contain the IP-Port-Alloc TLV 363 (see Section 3.2.8). 365 o For port allocation, the IP-Port-Range Attribute MUST contain both 366 the IP-Port-Range-Start TLV (see Section 3.2.9) and the IP-Port- 367 Range-END TLV (see Section 3.2.10). For port deallocation, the 368 IP-Port-Range Attribute MAY contain both of these two TLVs; if the 369 two TLVs are not included, it implies that all ports that were 370 previously allocated are now all deallocated. 372 o The IP-Port-Range Attribute MAY contain the IP-Port-Ext-IPv4-Addr 373 TLV (see Section 3.2.3). 375 o The IP-Port-Range Attribute MAY contain the IP-Port-Local-Id TLV 376 (see Section 3.2.11). 378 The IP-Port-Range Attribute contains a range of contiguous IP ports. 379 These ports are either to be allocated or deallocated depending on 380 the Value carried by the IP-Port-Alloc TLV. 382 If the IP-Port-Type TLV is included as part of the IP-Port-Range 383 Attribute, the port range is associated with the specific IP 384 transport protocol as specified in the IP-Port-Type TLV, but 385 otherwise is for all IP transport protocols. 387 If the IP-Port-Ext-IPv4-Addr TLV is included as part of the IP-Port- 388 Range Attribute, the port range as specified is associated with IPv4 389 address as indicated, but otherwise is for all IPv4 addresses by the 390 address sharing device (e.g., a CGN device) for the end user. 392 This attribute can be used to convey a single IP transport port 393 number; in such case the Value of the IP-Port-Range-Start TLV and the 394 IP-Port-Range-End TLV, respectively, contain the same port number. 396 The information contained in the IP-Port-Range Attribute is sent to 397 RADIUS server. 399 The IP-Port-Range Attribute MAY appear in an Accounting-Request 400 packet. 402 The IP-Port-Range Attribute MUST NOT appear in any other RADIUS 403 packet. 405 The format of the IP-Port-Range Attribute is shown in Figure 2. 407 0 1 2 3 408 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 410 | Type | Length | Extended-Type | Value ... 411 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 413 Figure 2 415 Type 417 241 (To be confirmed by IANA). 419 Length 421 This field indicates the total length in bytes of all fields of 422 this attribute, including the Type, Length, Extended-Type, and the 423 entire length of the embedded TLVs. 425 Extended-Type 427 TBD2. 429 Value 430 This field contains a set of TLVs as follows: 432 IP-Port-Type TLV 434 This TLV contains a value that indicates the IP port type. 435 Refer to Section 3.2.1. 437 IP-Port-Alloc TLV 439 This TLV contains a flag to indicate that the range of the 440 specified IP ports for either allocation or deallocation. This 441 TLV MUST be included as part of the IP-Port-Range Attribute. 442 Refer to Section 3.2.8. 444 IP-Port-Range-Start TLV 446 This TLV contains the smallest port number of a range of 447 contiguous IP ports. To report the port allocation, this TLV 448 MUST be included together with IP-Port-Range-End TLV as part of 449 the IP-Port-Range Attribute. Refer to Section 3.2.9. 451 IP-Port-Range-End TLV 453 This TLV contains the largest port number of a range of 454 contiguous IP ports. To report the port allocation, this TLV 455 MUST be included together with IP-Port-Range-Start TLV as part 456 of the IP-Port-Range Attribute. Refer to Section 3.2.10. 458 IP-Port-Ext-IPv4-Addr TLV 460 This TLV contains the IPv4 address that is associated with the 461 IP port range, as collectively indicated in the IP-Port-Range- 462 Start TLV and the IP-Port-Range-End TLV. This TLV is 463 optionally included as part of the IP-Port-Range Attribute. 464 Refer to Section 3.2.3. 466 IP-Port-Local-Id TLV 468 This TLV contains a local session identifier at the customer 469 premise, such as MAC address, interface ID, VLAN ID, PPP 470 sessions ID, VRF ID, IP address/prefix, etc. This TLV is 471 optionally included as part of the IP-Port-Range Attribute. 472 Refer to Section 3.2.11. 474 The IP-Port-Range attribute is associated with the following 475 identifier: 241.Extended-Type(TBD2). 477 3.1.3. IP-Port-Forwarding-Map Attribute 479 This attribute is of type "TLV" as defined in the RADIUS Protocol 480 Extensions [RFC6929]. It contains some sub-attributes and the 481 requirement is as follows: 483 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port-Type 484 TLV (see Section 3.2.1). 486 o The IP-Port-Forwarding-Map Attribute MUST contain both IP-Port- 487 Int-Port TLV (see Section 3.2.6) and the IP-Port-Ext-Port TLV (see 488 Section 3.2.7). 490 o If the internal realm is with IPv4 address family, the IP-Port- 491 Forwarding-Map Attribute MUST contain the IP-Port-Int-IPv4-Addr 492 TLV (see Section 3.2.4); if the internal realm is with IPv6 493 address family, the IP-Port-Forwarding-Map Attribute MUST contain 494 the IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5). 496 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port-Ext- 497 IPv4-Addr TLV (see Section 3.2.3). 499 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port- 500 Local-Id TLV (see Section 3.2.11). 502 The attribute contains a 2-byte IP internal port number and a 2-byte 503 IP external port number. The internal port number is associated with 504 an internal IPv4 or IPv6 address that MUST always be included. The 505 external port number is associated with a specific external IPv4 506 address if included, but otherwise with all external IPv4 addresses 507 for the end user. 509 If the IP-Port-Type TLV is included as part of the IP-Port- 510 Forwarding-Map Attribute, the port mapping is associated with the 511 specific IP transport protocol as specified in the IP-Port-Type TLV, 512 but otherwise is for all IP transport protocols. 514 The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept 515 packet. It MAY also appear in an Access-Request packet to indicate a 516 preferred port mapping by the device co-located with NAS. However 517 the server is not required to honor such a preference. 519 The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request 520 packet. 522 The IP-Port-Forwarding-Map Attribute MAY also appear in an 523 Accounting-Request packet. 525 The IP-Port-Forwarding-Map Attribute MUST NOT appear in any other 526 RADIUS packet. 528 The format of the IP-Port-Forwarding-Map Attribute is shown in 529 Figure 3. 531 0 1 2 3 532 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 534 | Type | Length | Extended-Type | Value .... 535 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 537 Figure 3 539 Type 541 241 (To be confirmed by IANA). 543 Length 545 This field indicates the total length in bytes of all fields of 546 this attribute, including the Type, Length, Extended-Type, and the 547 entire length of the embedded TLVs. 549 Extended-Type 551 TBD3. 553 Value 555 This field contains a set of TLVs as follows: 557 IP-Port-Type TLV 559 This TLV contains a value that indicates the IP port type. 560 Refer to Section 3.2.1. 562 IP-Port-Int-Port TLV 564 This TLV contains an internal IP port number associated with an 565 internal IPv4 or IPv6 address. This TLV MUST be included 566 together with IP-Port-Ext-Port TLV as part of the IP-Port- 567 Forwarding-Map attribute. Refer to Section 3.2.6. 569 IP-Port-Ext-Port TLV 570 This TLV contains an external IP port number associated with an 571 external IPv4 address. This TLV MUST be included together with 572 IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map 573 attribute. Refer to Section 3.2.7. 575 IP-Port-Int-IPv4-Addr TLV 577 This TLV contains an IPv4 address that is associated with the 578 internal IP port number contained in the IP-Port-Int-Port TLV. 579 For internal realm with IPv4 address family, this TLV MUST be 580 included as part of the IP-Port-Forwarding-Map Attribute. 581 Refer to Section 3.2.4. 583 IP-Port-Int-IPv6-Addr TLV 585 This TLV contains an IPv6 address that is associated with the 586 internal IP port number contained in the IP-Port-Int-Port TLV. 587 For internal realm with IPv6 address family, this TLV MUST be 588 included as part of the IP-Port-Forwarding-Map Attribute. 589 Refer to Section 3.2.5. 591 IP-Port-Ext-IPv4-Addr TLV 593 This TLV contains an IPv4 address that is associated with the 594 external IP port number contained in the IP-Port-Ext-Port TLV. 595 This TLV MAY be included as part of the IP-Port-Forwarding-Map 596 Attribute. Refer to Section 3.2.3. 598 IP-Port-Local-Id TLV 600 This TLV contains a local session identifier at the customer 601 premise, such as MAC address, interface ID, VLAN ID, PPP 602 sessions ID, VRF ID, IP address/prefix, etc. This TLV is 603 optionally included as part of the IP-Port-Forwarding-Map 604 Attribute. Refer to Section 3.2.11. 606 The IP-Port-Forwarding-Map Attribute is associated with the following 607 identifier: 241.Extended-Type(TBD3). 609 3.2. RADIUS TLVs for IP Ports 611 The TLVs that are included in the three attributes (see Section 3.1) 612 are defined in the following sub-sections. These TLVs use the format 613 defined in [RFC6929]. As the three attributes carry similar data, we 614 have defined a common set of TLVs which are used for all three 615 attributes. That is, the TLVs have the same name and number, when 616 encapsulated in any one of the three parent attributes. See 617 Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which 618 TLV is permitted within which parent attribute. 620 The encoding of the Value field of these TLVs follows the 621 recommendation of [RFC6158]. In particular, IP-Port-Type, IP-Port- 622 Limit, IP-Port-Int-Port, IP-Port-Ext-Port, IP-Port-Alloc, IP-Port- 623 Range-Start, and IP-Port-Range-End TLVs are encoded in 32 bits as per 624 the recommendation in Appendix A.2.1 of [RFC6158]. 626 3.2.1. IP-Port-Type TLV 628 The format of IP-Port-Type TLV is shown in Figure 4. This attribute 629 carries the IP transport protocol number defined by IANA (refer to 630 [ProtocolNumbers]) 632 0 1 2 3 633 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 634 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 635 | TLV-Type | Length | Protocol-Number 636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 637 Protocol-Number | 638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 640 Figure 4 642 TLV-Type 644 1 646 Length 648 6 650 Protocol-Number 652 Integer. This field contains the data (unsigned8) of the protocol 653 number defined in [ProtocolNumbers], right justified, and the 654 unused bits in this field MUST be set to zero. Protocols that do 655 not use a port number (e.g., Resource Reservation Protocol (RSVP), 656 IP Encapsulating Security Payload (ESP)) MUST NOT be included in 657 the IP-Port-Type TLV. 659 IP-Port-Type TLV MAY be included in the following Attributes: 661 o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see 662 Section 3.1.1). 664 o IP-Port-Range Attribute, identified as 241.TBD2.1 (see 665 Section 3.1.2). 667 o IP-Port-Forwarding-Map Attribute, identified as 241.TBD3.1 (see 668 Section 3.1.3). 670 When the IP-Port-Type TLV is included within a RADIUS Attribute, the 671 associated attribute is applied to the IP transport protocol as 672 indicated by the Protocol-Number only, such as TCP, UDP, SCTP, DCCP, 673 etc. 675 3.2.2. IP-Port-Limit TLV 677 The format of IP-Port-Limit TLV is shown in Figure 5. This attribute 678 carries IPFIX Information Element "sourceTransportPortsLimit (TBAx1), 679 which indicates the maximum number of IP transport ports as a limit 680 for an end user to use that is associated with one or more IPv4 or 681 IPv6 addresses. 683 0 1 2 3 684 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 685 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 686 | TLV-Type | Length | sourceTransportPortsLimit 687 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 688 sourceTransportPortsLimit | 689 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 691 Figure 5 693 TLV-Type 695 2 697 Length 699 6 701 sourceTransportPortsLimit 703 Integer. This field contains the data (unsigned16) of 704 sourceTransportPortsLimit (TBAx1) defined in IPFIX, right 705 justified, and the unused bits in this field MUST be set to zero. 707 IP-Port-Limit TLV MUST be included as part of the IP-Port-Limit-Info 708 Attribute (refer to Section 3.1.1), identified as 241.TBD1.2. 710 3.2.3. IP-Port-Ext-IPv4-Addr TLV 712 The format of IP-Port-Ext-IPv4-Addr TLV is shown in Figure 6. This 713 attribute carries IPFIX Information Element 225, 714 "postNATSourceIPv4Address", which is the IPv4 source address after 715 NAT operation (refer to [IPFIX]). 717 0 1 2 3 718 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 719 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 720 | TLV-Type | Length | postNATSourceIPv4Address 721 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 722 postNATSourceIPv4Address | 723 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 725 Figure 6 727 TLV-Type 729 3 731 Length 733 6 735 postNATSourceIPv4Address 737 Integer. This field contains the data (ipv4Address) of 738 postNATSourceIPv4Address (225) defined in IPFIX. 740 IP-Port-Ext-IPv4-Addr TLV MAY be included in the following 741 Attributes: 743 o IP-Port-Limit-Info Attribute, identified as 241.TBD1.3 (see 744 Section 3.1.1). 746 o IP-Port-Range Attribute, identified as 241.TBD2.3 (see 747 Section 3.1.2). 749 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.3 750 (see Section 3.1.3). 752 3.2.4. IP-Port-Int-IPv4-Addr TLV 754 The format of IP-Port-Int-IPv4 TLV is shown in Figure 7. This 755 attribute carries IPFIX Information Element 8, "sourceIPv4Address", 756 which is the IPv4 source address before NAT operation (refer to 757 [IPFIX]). 759 0 1 2 3 760 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 762 | TLV-Type | Length | sourceIPv4Address 763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 764 sourceIPv4Address | 765 +-+--+-+-+-+-+-+-++-+-+-+-+-+-+-+ 767 Figure 7 769 TLV-Type 771 4 773 Length 775 6 777 sourceIPv4Address 779 Integer. This field contains the data (ipv4Address) of 780 sourceIPv4Address (8) defined in IPFIX. 782 If the internal realm is with IPv4 address family, the IP-Port-Int- 783 IPv4-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map 784 Attribute (refer to Section 3.1.3), identified as 241.TBD3.4. 786 3.2.5. IP-Port-Int-IPv6-Addr TLV 788 The format of IP-Port-Int-IPv6-Addr TLV is shown in Figure 8. This 789 attribute carries IPFIX Information Element 27, "sourceIPv6Address", 790 which is the IPv6 source address before NAT operation (refer to 791 [IPFIX]). 793 0 1 2 3 794 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 795 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 796 | TLV-Type | Length | sourceIPv6Address 797 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 798 sourceIPv6Address 799 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 800 sourceIPv6Address 801 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 802 sourceIPv6Address 803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 804 sourceIPv6Address | 805 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 807 Figure 8 809 TLV-Type 811 5 813 Length 815 18 817 sourceIPv6Address 819 IPv6 address (128 bits). This field contains the data 820 (ipv6Address) of sourceIPv6Address (27) defined in IPFIX. 822 If the internal realm is with IPv6 address family, the IP-Port-Int- 823 IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map 824 Attribute (refer to Section 3.1.3), identified as 241.TBD3.5. 826 3.2.6. IP-Port-Int-Port TLV 828 The format of IP-Port-Int-Port TLV is shown in Figure 9. This 829 attribute carries IPFIX Information Element 7, "sourceTransportPort", 830 which is the source transport number associated with an internal IPv4 831 or IPv6 address (refer to [IPFIX]). 833 0 1 2 3 834 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 835 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 836 | TLV-Type | Length | sourceTransportPort 837 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 838 sourceTransportPort | 839 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 841 Figure 9 843 TLV-Type 845 6 847 Length 849 6 851 sourceTransportPort 853 Integer. This field contains the data (unsigned16) of 854 sourceTrasnportPort (7) defined in IPFIX, right justified, and 855 unused bits MUST be set to zero. 857 IP-Port-Int-Port TLV MUST be included as part of the IP-Port- 858 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 859 241.TBD3.6. 861 3.2.7. IP-Port-Ext-Port TLV 863 The format of IP-Port-Ext-Port TLV is shown in Figure 10. This 864 attribute carries IPFIX Information Element 227, 865 "postNAPTSourceTransportPort", which is the transport number 866 associated with an external IPv4 address(refer to [IPFIX]). 868 0 1 2 3 869 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 870 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 871 | TLV-Type | Length | postNAPTSourceTransportPort 872 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 873 postNAPTSourceTransportPort | 874 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 876 Figure 10 878 TLV-Type 879 7 881 Length 883 6 885 postNAPTSourceTransportPort 887 Integer. This field contains the data (unsigned16) of 888 postNAPTSourceTrasnportPort (227) defined in IPFIX, right 889 justified, and unused bits MUST be set to zero. 891 IP-Port-Ext-Port TLV MUST be included as part of the IP-Port- 892 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 893 241.TBD3.7. 895 3.2.8. IP-Port-Alloc TLV 897 The format of IP-Port-Alloc TLV is shown in Figure 11. This 898 attribute carries IPFIX Information Element 230, "natEvent", which is 899 a flag to indicate an action of NAT operation (refer to [IPFIX]). 901 When the value of natEvent is "1" (Create event), it means to 902 allocate a range of transport ports; when the value is "2", it means 903 to deallocate a range of transports ports. For the purpose of this 904 TLV, no other value is used. 906 0 1 2 3 907 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 908 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 909 | TLV-Type | Length | natEvent 910 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 911 natEvent | 912 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 914 Figure 11 916 TLV-Type 918 8 920 Length 922 6 924 natEvent 925 Integer. This field contains the data (unsigned8) of natEvent 926 (230) defined in IPFIX, right justified, and unused bits MUST be 927 set to zero. It indicates the allocation or deallocation of a 928 range of IP ports as follows: 930 1: 932 Allocation 934 2: 936 Deallocation 938 Reserved: 940 0. 942 IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range 943 Attribute (refer to Section 3.1.2), identified as 241.TBD2.8. 945 3.2.9. IP-Port-Range-Start TLV 947 The format of IP-Port-Range-Start TLV is shown in Figure 12. This 948 attribute carries IPFIX Information Element 361, "portRangeStart", 949 which is the smallest port number of a range of contiguous transport 950 ports (refer to [IPFIX]). 952 0 1 2 3 953 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 955 | TLV-Type | Length | portRangeStart 956 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 957 portRangeStart | 958 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 960 Figure 12 962 TLV-Type 964 9 966 Length 968 6 970 portRangeStart 971 Integer. This field contains the data (unsigned16) of (361) 972 defined in IPFIX, right justified, and unused bits MUST be set to 973 zero. 975 IP-Port-Range-Start TLV is included as part of the IP-Port-Range 976 Attribute (refer to Section 3.1.2), identified as 241.TBD2.9. 978 3.2.10. IP-Port-Range-End TLV 980 The format of IP-Port-Range-End TLV is shown in Figure 13. This 981 attribute carries IPFIX Information Element 362, "portRangeEnd", 982 which is the largest port number of a range of contiguous transport 983 ports (refer to [IPFIX]). 985 0 1 2 3 986 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 987 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 988 | TLV-Type | Length | portRangeEnd 989 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 990 portRangeEnd | 991 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 993 Figure 13 995 TLV-Type 997 10 999 Length 1001 6 1003 portRangeEnd 1005 Integer. This field contains the data (unsigned16) of (362) 1006 defined in IPFIX, right justified, and unused bits MUST be set to 1007 zero. 1009 IP-Port-Range-End TLV is included as part of the IP-Port-Range 1010 Attribute (refer to Section 3.1.2), identified as 241.TBD2.10. 1012 3.2.11. IP-Port-Local-Id TLV 1014 The format of IP-Port-Local-Id TLV is shown in Figure 14. This 1015 attribute carries a string called "localID", which is a local 1016 significant identifier as explained below. 1018 The primary issue addressed by this TLV is that there are CGN 1019 deployments that do not distinguish internal hosts by their internal 1020 IP address alone, but use further identifiers for unique subscriber 1021 identification. For example, this is the case if a CGN supports 1022 overlapping private or shared IP address spaces (refer to [RFC1918] 1023 and [RFC6598]) for internal hosts of different subscribers. In such 1024 cases, different internal hosts are identified and mapped at the CGN 1025 by their IP address and/or another identifier, for example, the 1026 identifier of a tunnel between the CGN and the subscriber. In these 1027 scenarios (and similar ones), the internal IP address is not 1028 sufficient to demultiplex connections from internal hosts. An 1029 additional identifier needs to be present in the IP-Port-Range 1030 Attribute and IP-Port-Forwarding-Mapping Attribute in order to 1031 uniquely identify an internal host. The IP-Port-Local-Id TLV is used 1032 to carry this identifier. 1034 0 1 2 3 1035 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1036 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1037 | TLV-Type | Length | localID .... 1038 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1040 Figure 14 1042 TLV-Type 1044 11 1046 Length 1048 Variable number of bytes. 1050 localID 1052 string. The data type of this field is string (refer to 1053 [I-D.ietf-radext-datatypes]). This field contains the data that 1054 is a local session identifier at the customer premise, such as MAC 1055 address, interface ID, VLAN ID, PPP sessions ID, VRF ID, IP 1056 address/prefix, etc. 1058 IP-Port-Local-Id TLV MAY be included in the following Attributes: 1060 o IP-Port-Range Attribute, identified as 241.TBD2.11 (see 1061 Section 3.1.2). 1063 o IP-Port-Forwarding-Mapping Attribute, identified as 241.TBD3.11 1064 (see Section 3.1.3). 1066 4. Applications, Use Cases and Examples 1068 This section describes some applications and use cases to illustrate 1069 the use of the attributes proposed in this document. 1071 4.1. Managing CGN Port Behavior using RADIUS 1073 In a broadband network, customer information is usually stored on a 1074 RADIUS server, and the BNG acts as a NAS. The communication between 1075 the NAS and the RADIUS server is triggered by a user when it signs in 1076 to the Internet service, where either PPP or DHCP/DHCPv6 is used. 1077 When a user signs in, the NAS sends a RADIUS Access-Request message 1078 to the RADIUS server. The RADIUS server validates the request, and 1079 if the validation succeeds, it in turn sends back a RADIUS Access- 1080 Accept message. The Access-Accept message carries configuration 1081 information specific to that user, back to the NAS, where some of the 1082 information would pass on to the requesting user via PPP or DHCP/ 1083 DHCPv6. 1085 A CGN function in a broadband network is most likely be co-located on 1086 a BNG. In that case, parameters for CGN port mapping behavior for 1087 users can be configured on the RADIUS server. When a user signs in 1088 to the Internet service, the associated parameters can be conveyed to 1089 the NAS, and proper configuration is accomplished on the CGN device 1090 for that user. 1092 Also, CGN operation status such as CGN port allocation and 1093 deallocation for a specific user on the BNG can also be transmitted 1094 back to the RADIUS server for accounting purpose using the RADIUS 1095 protocol. 1097 RADIUS protocol has already been widely deployed in broadband 1098 networks to manage BNG, thus the functionality described in this 1099 specification introduces little overhead to the existing network 1100 operation. 1102 In the following sub-sections, we describe how to manage CGN behavior 1103 using RADIUS protocol, with required RADIUS extensions proposed in 1104 Section 3. 1106 4.1.1. Configure IP Port Limit for a User 1108 In the face of IPv4 address shortage, there are currently proposals 1109 to multiplex multiple users' connections over a number of shared IPv4 1110 addresses, such as Carrier Grade NAT [RFC6888], Dual-Stack Lite 1111 [RFC6333], NAT64 [RFC6146], etc. As a result, a single IPv4 public 1112 address may be shared by hundreds or even thousands of users. As 1113 indicated in [RFC6269], it is therefore necessary to impose limits on 1114 the total number of ports available to an individual user to ensure 1115 that the shared resource, i.e., the IPv4 address, remains available 1116 in some capacity to all the users using it. The support of IP port 1117 limit is also documented in [RFC6888] as a requirement for CGN. 1119 The IP port limit imposed to an end user may be on the total number 1120 of IP source transport ports, or a specific IP transport protocol as 1121 defined in Section 3.1.1. 1123 The per-user based IP port limit is configured on a RADIUS server, 1124 along with other user information such as credentials. 1126 When a user signs in to the Internet service successfully, the IP 1127 port limit for the subscriber is passed by the RADIUS server to the 1128 BNG, acting as a NAS and co-located with the CGN, using the IP-Port- 1129 Limit-Info RADIUS attribute (defined in Section 3.1.1), along with 1130 other configuration parameters. While some parameters are passed to 1131 the user, the IP port limit is recorded on the CGN device for 1132 imposing the usage of IP transport ports for that user. 1134 Figure 15 illustrates how RADIUS protocol is used to configure the 1135 maximum number of TCP/UDP ports for a given user on a CGN device. 1137 User CGN/NAS AAA 1138 | BNG Server 1139 | | | 1140 | | | 1141 |----Service Request------>| | 1142 | | | 1143 | |-----Access-Request -------->| 1144 | | | 1145 | |<----Access-Accept-----------| 1146 | | (IP-Port-Limit-Info) | 1147 | | (for TCP/UDP ports) | 1148 |<---Service Granted ------| | 1149 | (other parameters) | | 1150 | | | 1151 | (CGN external port | 1152 | allocation and | 1153 | IPv4 address assignment) | 1154 | | | 1156 Figure 15: RADIUS Message Flow for Configuring CGN Port Limit 1158 The IP port limit created on a CGN device for a specific user using 1159 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 1160 that carries the same RADIUS attribute. The CoA message may be sent 1161 from the RADIUS server directly to the NAS, which once accepts and 1162 sends back a RADIUS CoA ACK message, the new IP port limit replaces 1163 the previous one. 1165 Figure 16 illustrates how RADIUS protocol is used to increase the 1166 TCP/UDP port limit from 1024 to 2048 on a CGN device for a specific 1167 user. 1169 User CGN/NAS AAA 1170 | BNG Server 1171 | | | 1172 | TCP/UDP Port Limit (1024) | 1173 | | | 1174 | |<---------CoA Request----------| 1175 | | (IP-Port-Limit-Info) | 1176 | | (for TCP/UDP ports) | 1177 | | | 1178 | TCP/UDP Port Limit (2048) | 1179 | | | 1180 | |---------CoA Response--------->| 1181 | | | 1183 Figure 16: RADIUS Message Flow for changing a user's CGN port limit 1185 4.1.2. Report IP Port Allocation/Deallocation 1187 Upon obtaining the IP port limit for a user, the CGN device needs to 1188 allocate an IP transport port for the user when receiving a new IP 1189 flow sent from that user. 1191 As one practice, a CGN may allocate a block of IP ports for a 1192 specific user, instead of one port at a time, and within each port 1193 block, the ports may be randomly distributed or in consecutive 1194 fashion. When a CGN device allocates a block of transport ports, the 1195 information can be easily conveyed to the RADIUS server by a new 1196 RADIUS attribute called the IP-Port-Range (defined in Section 3.1.2). 1197 The CGN device may allocate one or more IP port ranges, where each 1198 range contains a set of numbers representing IP transport ports, and 1199 the total number of ports MUST be less or equal to the associated IP 1200 port limit imposed for that user. A CGN device may choose to 1201 allocate a small port range, and allocate more at a later time as 1202 needed; such practice is good because its randomization in nature. 1204 At the same time, the CGN device also needs to decide the shared IPv4 1205 address for that user. The shared IPv4 address and the pre-allocated 1206 IP port range are both passed to the RADIUS server. 1208 When a user initiates an IP flow, the CGN device randomly selects a 1209 transport port number from the associated and pre-allocated IP port 1210 range for that user to replace the original source port number, along 1211 with the replacement of the source IP address by the shared IPv4 1212 address. 1214 A CGN device may decide to "free" a previously assigned set of IP 1215 ports that have been allocated for a specific user but not currently 1216 in use, and with that, the CGN device must send the information of 1217 the deallocated IP port range along with the shared IPv4 address to 1218 the RADIUS server. 1220 Figure 17 illustrates how RADIUS protocol is used to report a set of 1221 ports allocated and deallocated, respectively, by a NAT64 device for 1222 a specific user to the RADIUS server. 2001:db8:100:200::/56 is the 1223 IPv6 prefix allocated to this user. In order to limit the usage of 1224 the NAT64 resources on a per-user basis for fairness of resource 1225 usage (see REQ-4 of [RFC6888]), port range allocations are bound to 1226 the /56 prefix, not to the source IPv6 address of the request. The 1227 NAT64 devices is configured with the per-user port limit policy by 1228 some means (e.g., subscriber-mask [RFC7785]). 1230 Host NAT64/NAS AAA 1231 | BNG Server 1232 | | | 1233 | | | 1234 |----Service Request------>| | 1235 | | | 1236 | |-----Access-Request -------->| 1237 | | | 1238 | |<----Access-Accept-----------| 1239 |<---Service Granted ------| | 1240 | (other parameters) | | 1241 ... ... ... 1242 | | | 1243 | | | 1244 | (NAT64 decides to allocate | 1245 | a TCP/UDP port range for the user) | 1246 | | | 1247 | |-----Accounting-Request----->| 1248 | | (IP-Port-Range | 1249 | | for allocation) | 1250 ... ... ... 1251 | | | 1252 | (NAT64 decides to deallocate | 1253 | a TCP/UDP port range for the user) | 1254 | | | 1255 | |-----Accounting-Request----->| 1256 | | (IP-Port-Range | 1257 | | for deallocation) | 1258 | | | 1260 Figure 17: RADIUS Message Flow for reporting NAT64 allocation/ 1261 deallocation of a port set 1263 4.1.3. Configure Forwarding Port Mapping 1265 In most scenarios, the port mapping on a NAT device is dynamically 1266 created when the IP packets of an IP connection initiated by a user 1267 arrives. For some applications, the port mapping needs to be pre- 1268 defined allowing IP packets of applications from outside a CGN device 1269 to pass through and "port forwarded" to the correct user located 1270 behind the CGN device. 1272 Port Control Protocol [RFC6887], provides a mechanism to create a 1273 mapping from an external IP address and port to an internal IP 1274 address and port on a CGN device just to achieve the "port 1275 forwarding" purpose. PCP is a server-client protocol capable of 1276 creating or deleting a mapping along with a rich set of features on a 1277 CGN device in dynamic fashion. In some deployment, all users need is 1278 a few, typically just one pre-configured port mapping for 1279 applications such as web cam at home, and the lifetime of such a port 1280 mapping remains valid throughout the duration of the customer's 1281 Internet service connection time. In such an environment, it is 1282 possible to statically configure a port mapping on the RADIUS server 1283 for a user and let the RADIUS protocol to propagate the information 1284 to the associated CGN device. 1286 Note that this document targets deployments where a AAA server is 1287 responsible de instructing NAT mappings for a given subscriber and 1288 does not make any assumption about the host's capabilities with 1289 regards to port forwarding control. This deployment is complementary 1290 to PCP given that PCP targets a different deployment model where an 1291 application (on the host) controls its mappings in an upstream CPE, 1292 CGN, firewall, etc. 1294 Figure 18 illustrates how RADIUS protocol is used to configure a 1295 forwarding port mapping on a NAT44 device by using RADIUS protocol. 1297 Host CGN/NAS AAA 1298 | BNG Server 1299 | | | 1300 |----Service Request------>| | 1301 | | | 1302 | |---------Access-Request------->| 1303 | | | 1304 | |<--------Access-Accept---------| 1305 | | (IP-Port-Forwarding-Map) | 1306 |<---Service Granted ------| | 1307 | (other parameters) | | 1308 | | | 1309 | (Create a port mapping | 1310 | for the user, and | 1311 | associate it with the | 1312 | internal IP address | 1313 | and external IP address) | 1314 | | | 1315 | | | 1316 | |------Accounting-Request------>| 1317 | | (IP-Port-Forwarding-Map) | 1319 Figure 18: RADIUS Message Flow for configuring a forwarding port 1320 mapping 1322 A port forwarding mapping that is created on a CGN device using 1323 RADIUS extension as described above may also be changed using RADIUS 1324 CoA message [RFC5176] that carries the same RADIUS association. The 1325 CoA message may be sent from the RADIUS server directly to the NAS, 1326 which once accepts and sends back a RADIUS CoA ACK message, the new 1327 port forwarding mapping then replaces the previous one. 1329 Figure 19 illustrates how RADIUS protocol is used to change an 1330 existing port mapping from (a:X) to (a:Y), where "a" is an internal 1331 port, and "X" and "Y" are external ports, respectively, for a 1332 specific user with a specific IP address 1334 Host CGN/NAS AAA 1335 | BNG Server 1336 | | | 1337 | Internal IP Address | 1338 | Port Map (a:X) | 1339 | | | 1340 | |<---------CoA Request----------| 1341 | | (IP-Port-Forwarding-Map) | 1342 | | | 1343 | Internal IP Address | 1344 | Port Map (a:Y) | 1345 | | | 1346 | |---------CoA Response--------->| 1347 | | (IP-Port-Forwarding-Map) | 1349 Figure 19: RADIUS Message Flow for changing a user's forwarding port 1350 mapping 1352 4.1.4. An Example 1354 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 1355 user Joe. This number is the limit that can be used for TCP/UDP ports 1356 on a CGN device for Joe, and is configured on a RADIUS server. Also, 1357 Joe asks for a pre-defined port forwarding mapping on the CGN device 1358 for his web cam applications (external port 5000 maps to internal 1359 port 1234). 1361 When Joe successfully connects to the Internet service, the RADIUS 1362 server conveys the TCP/UDP port limit (500) and the forwarding port 1363 mapping (external port 5000 to internal port 1234) to the CGN device, 1364 using IP-Port-Limit-Info Attribute and IP-Port-Forwarding-Map 1365 attribute, respectively, carried by an Access-Accept message to the 1366 BNG where NAS and CGN co-located. 1368 Upon receiving the first outbound IP packet sent from Joe's laptop, 1369 the CGN device decides to allocate a small port pool that contains 40 1370 consecutive ports, from 3500 to 3540, inclusively, and also assign a 1371 shared IPv4 address 192.0.2.15, for Joe. The CGN device also randomly 1372 selects one port from the allocated range (say 3519) and use that 1373 port to replace the original source port in outbound IP packets. 1375 For accounting purpose, the CGN device passes this port range 1376 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 1377 RADIUS server using IP-Port-Range attribute carried by an Accounting- 1378 Request message. 1380 When Joe works on more applications with more outbound IP mappings 1381 and the port pool (3500-3540) is close to exhaust, the CGN device 1382 allocates a second port pool (8500-8800) in a similar fashion, and 1383 also passes the new port range (8500-8800) and IPv4 address 1384 192.0.2.15 together to the RADIUS server using IP-Port-Range 1385 attribute carried by an Accounting-Request message. Note when the 1386 CGN allocates more ports, it needs to assure that the total number of 1387 ports allocated for Joe is within the limit. 1389 Joe decides to upgrade his service agreement with more TCP/UDP ports 1390 allowed (up to 1000 ports). The ISP updates the information in Joe's 1391 profile on the RADIUS server, which then sends a CoA-Request message 1392 that carries the IP-Port-Limit-Info Attribute with 1000 ports to the 1393 CGN device; the CGN device in turn sends back a CoA-ACK message. 1394 With that, Joe enjoys more available TCP/UDP ports for his 1395 applications. 1397 When Joe is not using his service, most of the IP mappings are closed 1398 with their associated TCP/UDP ports released on the CGN device, which 1399 then sends the relevant information back to the RADIUS server using 1400 IP-Port-Range attribute carried by Accounting-Request message. 1402 Throughout Joe's connection with his ISP Internet service, 1403 applications can communicate with his web cam at home from external 1404 realm directly traversing the pre-configured mapping on the CGN 1405 device. 1407 When Joe disconnects from his Internet service, the CGN device will 1408 deallocate all TCP/UDP ports as well as the port-forwarding mapping, 1409 and send the relevant information to the RADIUS server. 1411 4.2. Report Assigned Port Set for a Visiting UE 1413 Figure 20 illustrates an example of the flow exchange which occurs 1414 when a visiting User Equipment (UE) connects to a CPE offering WLAN 1415 service. 1417 For identification purposes (see [RFC6967]), once the CPE assigns a 1418 port set, it issues a RADIUS message to report the assigned port set. 1420 UE CPE CGN AAA 1421 | BNG Server 1422 | | | 1423 | | | 1424 |----Service Request------>| | 1425 | | | 1426 | |-----Access-Request -------->| 1427 | | | 1428 | |<----Access-Accept-----------| 1429 |<---Service Granted ------| | 1430 | (other parameters) | | 1431 ... | ... ... 1432 |<---IP@----| | | 1433 | | | | 1434 | (CPE assigns a TCP/UDP port | 1435 | range for this visiting UE) | 1436 | | | 1437 | |--Accounting-Request-...------------------->| 1438 | | (IP-Port-Range | 1439 | | for allocation) | 1440 ... | ... ... 1441 | | | | 1442 | | | | 1443 | (CPE withdraws a TCP/UDP port | 1444 | range for a visiting UE) | 1445 | | | 1446 | |--Accounting-Request-...------------------->| 1447 | | (IP-Port-Range | 1448 | | for deallocation) | 1449 | | | 1451 Figure 20: RADIUS Message Flow for reporting CPE allocation/ 1452 deallocation of a port set to a visiting UE 1454 5. Table of Attributes 1456 This document proposes three new RADIUS attributes and their formats 1457 are as follows: 1459 o IP-Port-Limit-Info: 241.TBD1. 1461 o IP-Port-Range: 241.TBD2. 1463 o IP-Port-Forwarding-Map: 241.TBD3. 1465 Note to IANA: it is assumed that Extended-Type-1 "241" will be used 1466 for these attributes. 1468 The following table provides a guide as what type of RADIUS packets 1469 that may contain these attributes, and in what quantity. 1471 Request Accept Reject Challenge Acct. # Attribute 1472 Request 1473 0+ 0+ 0 0 0+ TBA IP-Port-Limit-Info 1474 0 0 0 0 0+ TBA IP-Port-Range 1475 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map 1477 The following table defines the meaning of the above table entries. 1479 0 This attribute MUST NOT be present in packet. 1480 0+ Zero or more instances of this attribute MAY be present in packet. 1482 6. Security Considerations 1484 This document does not introduce any security issue other than the 1485 ones already identified in RADIUS [RFC2865] and [RFC5176] for CoA 1486 messages. Known RADIUS vulnerabilities apply to this specification. 1487 For example, if RADIUS packets are sent in the clear, an attacker in 1488 the communication path between the RADIUS client and server may glean 1489 information that it will use to prevent a legitimate user to access 1490 the service by appropriately setting the maximum number of IP ports 1491 conveyed in an IP-Port-Limit-Info Attribute, exhaust the port quota 1492 of a user by installing many mapping entries (IP-Port-Forwarding-Map 1493 Attribute), prevent incoming traffic to be delivered to its 1494 legitimate destination by manipulating the mapping entries installed 1495 by means of an IP-Port-Forwarding-Map Attribute, discover the IP 1496 address and port range assigned to a given user and which is reported 1497 in an IP-Port-Range Attribute, etc. The root cause of these attack 1498 vectors is the communication between the RADIUS client and server. 1500 The IP-Port-Local-Id TLV includes an identifier of which the type and 1501 length is deployment and implementation dependent. This identifier 1502 might carry privacy sensitive information. It is therefore 1503 RECOMMENDED to utilize identifiers that do not have such privacy 1504 concerns. 1506 If there is any error in a Radius Accounting-Request packet sent from 1507 a RADIUS client to the server, the RADIUS server MUST NOT send 1508 response to the client (refer to [RFC2866]). Examples of the errors 1509 include the erroneous port range in IP-Port-Range Attribute, 1510 inconsistent port mapping in IP-Port-Forwarding-Map Attribute, etc. 1512 This document targets deployments where a trusted relationship is in 1513 place between the RADIUS client and server with communication 1514 optionally secured by IPsec or Transport Layer Security (TLS) 1515 [RFC6614]. 1517 7. IANA Considerations 1519 This document requires new code point assignments for both IPFIX 1520 Information Elements and RADIUS attributes as explained in the 1521 following sub-sections. 1523 It is assumed that Extended-Type-1 "241" will be used for RADIUS 1524 attributes in Section 7.2. 1526 7.1. IANA Considerations on New IPFIX Information Elements 1528 The following is a new IPFIX Information Element as requested by this 1529 document (refer to Section 3.2.2) : 1531 o sourceTransportPortsLimit: 1533 * Name: sourceTransportPortsLimit. 1535 * Element ID: TBAx1. 1537 * Description: This Information Element contains the maximum 1538 number of IP source transport ports that can be used by an end 1539 user when sending IP packets; each user is associated with one 1540 or more (source) IPv4 or IPv6 addresses. This IE is 1541 particularly useful in address sharing deployments that adhere 1542 to REQ-4 of [RFC6888]. Limiting the number of ports assigned 1543 to each user ensures fairness among users and mitigates the 1544 denial-of-service attack that a user could launch against other 1545 users through the address sharing device in order to grab more 1546 ports. 1548 * Data type: unsigned16. 1550 * Data type semantics: totalCounter. 1552 * Data type unit: ports. 1554 * Data value range: from 1 to 65535. 1556 7.2. IANA Considerations on New RADIUS Attributes 1558 The authors request that Attribute Types and Attribute Values defined 1559 in this document be registered by the Internet Assigned Numbers 1560 Authority (IANA) from the RADIUS namespaces as described in the "IANA 1561 Considerations" section of [RFC3575], in accordance with BCP 26 1562 [RFC5226]. For RADIUS packets, attributes and registries created by 1563 this document IANA is requested to place them at 1564 http://www.iana.org/assignments/radius-types. 1566 In particular, this document defines three new RADIUS attributes, 1567 entitled "IP-Port-Limit-Info" (see Section 3.1.1), "IP-Port-Range" 1568 (see Section 3.1.2) and "IP-Port-Forwarding-Map" (see Section 3.1.3), 1569 with assigned values of 241.TBD1, 241.TBD2 and 241.TBD3 from the 1570 Short Extended Space of [RFC6929]: 1572 Type Name Meaning 1573 ---- ---- ------- 1574 241.TBD1 IP-Port-Limit-Info see Section 3.1.1 1575 241.TBD2 IP-Port-Range see Section 3.1.2 1576 241.TBD3 IP-Port-Forwarding-Map see Section 3.1.3 1578 7.3. IANA Considerations on New RADIUS TLVs 1580 This specification requests allocation of the following TLVs: 1582 Name Value Meaning 1583 ---- ----- ------- 1584 IP-Port-Type 1 see Section 3.2.1 1585 IP-Port-Limit 2 see Section 3.2.2 1586 IP-Port-Ext-IPv4-Addr 3 see Section 3.2.3 1587 IP-Port-Int-IPv4-Addr 4 see Section 3.2.4 1588 IP-Port-Int-IPv6-Addr 5 see Section 3.2.5 1589 IP-Port-Int-Port 6 see Section 3.2.6 1590 IP-Port-Ext-Port 7 see Section 3.2.7 1591 IP-Port-Alloc 8 see Section 3.2.8 1592 IP-Port-Range-Start 9 see Section 3.2.9 1593 IP-Port-Range-End 10 see Section 3.2.10 1594 IP-Port-Local-Id 11 see Section 3.2.11 1596 8. Acknowledgements 1598 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 1599 Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful 1600 comments and suggestions. 1602 Special thanks to Lionel Morand for the Shepherd review and to 1603 Kathleen Moriarty for the AD review. 1605 Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed 1606 review. 1608 9. References 1609 9.1. Normative References 1611 [I-D.ietf-radext-datatypes] 1612 DeKok, A., "Data Types in the Remote Authentication Dial- 1613 In User Service Protocol (RADIUS)", draft-ietf-radext- 1614 datatypes-08 (work in progress), October 2016. 1616 [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", 1617 . 1619 [ProtocolNumbers] 1620 IANA, "Protocol Numbers", 1621 . 1624 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1625 Requirement Levels", BCP 14, RFC 2119, 1626 DOI 10.17487/RFC2119, March 1997, 1627 . 1629 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1630 "Remote Authentication Dial In User Service (RADIUS)", 1631 RFC 2865, DOI 10.17487/RFC2865, June 2000, 1632 . 1634 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote 1635 Authentication Dial In User Service)", RFC 3575, 1636 DOI 10.17487/RFC3575, July 2003, 1637 . 1639 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1640 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1641 DOI 10.17487/RFC5226, May 2008, 1642 . 1644 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1645 Service (RADIUS) Protocol Extensions", RFC 6929, 1646 DOI 10.17487/RFC6929, April 2013, 1647 . 1649 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 1650 for IP Flow Information Export (IPFIX)", RFC 7012, 1651 DOI 10.17487/RFC7012, September 2013, 1652 . 1654 9.2. Informative References 1656 [I-D.gundavelli-v6ops-community-wifi-svcs] 1657 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1658 "Service Provider Wi-Fi Services Over Residential 1659 Architectures", draft-gundavelli-v6ops-community-wifi- 1660 svcs-06 (work in progress), April 2013. 1662 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1663 DOI 10.17487/RFC0768, August 1980, 1664 . 1666 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1667 RFC 793, DOI 10.17487/RFC0793, September 1981, 1668 . 1670 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 1671 and E. Lear, "Address Allocation for Private Internets", 1672 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 1673 . 1675 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, 1676 DOI 10.17487/RFC2866, June 2000, 1677 . 1679 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1680 Address Translator (Traditional NAT)", RFC 3022, 1681 DOI 10.17487/RFC3022, January 2001, 1682 . 1684 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1685 Congestion Control Protocol (DCCP)", RFC 4340, 1686 DOI 10.17487/RFC4340, March 2006, 1687 . 1689 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1690 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1691 . 1693 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1694 Aboba, "Dynamic Authorization Extensions to Remote 1695 Authentication Dial In User Service (RADIUS)", RFC 5176, 1696 DOI 10.17487/RFC5176, January 2008, 1697 . 1699 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1700 NAT64: Network Address and Protocol Translation from IPv6 1701 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1702 April 2011, . 1704 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 1705 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 1706 . 1708 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 1709 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 1710 DOI 10.17487/RFC6269, June 2011, 1711 . 1713 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1714 Stack Lite Broadband Deployments Following IPv4 1715 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 1716 . 1718 [RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and 1719 M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address 1720 Space", BCP 153, RFC 6598, DOI 10.17487/RFC6598, April 1721 2012, . 1723 [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, 1724 "Transport Layer Security (TLS) Encryption for RADIUS", 1725 RFC 6614, DOI 10.17487/RFC6614, May 2012, 1726 . 1728 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1729 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1730 DOI 10.17487/RFC6887, April 2013, 1731 . 1733 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1734 A., and H. Ashida, "Common Requirements for Carrier-Grade 1735 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1736 April 2013, . 1738 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1739 "Analysis of Potential Solutions for Revealing a Host 1740 Identifier (HOST_ID) in Shared Address Deployments", 1741 RFC 6967, DOI 10.17487/RFC6967, June 2013, 1742 . 1744 [RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for 1745 Prefix Binding in the Context of Softwire Dual-Stack 1746 Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016, 1747 . 1749 [TR-146] Broadband Forum, "TR-146: Subscriber Sessions", 1750 . 1753 Authors' Addresses 1755 Dean Cheng 1756 Huawei 1757 2330 Central Expressway 1758 Santa Clara, California 95050 1759 USA 1761 Email: dean.cheng@huawei.com 1763 Jouni Korhonen 1764 Broadcom Corporation 1765 3151 Zanker Road 1766 San Jose 95134 1767 USA 1769 Email: jouni.nospam@gmail.com 1771 Mohamed Boucadair 1772 Orange 1773 Rennes 1774 France 1776 Email: mohamed.boucadair@orange.com 1778 Senthil Sivakumar 1779 Cisco Systems 1780 7100-8 Kit Creek Road 1781 Research Triangle Park, North Carolina 1782 USA 1784 Email: ssenthil@cisco.com