idnits 2.17.1 

draft-naito-nat-resource-optimizing-extension-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 117: '...   A TCP server MAY accept a TCP SYN f...'
     RFC 2119 keyword, line 138: '...cal clients, NAT MAY assign the same e...'
     RFC 2119 keyword, line 184: '...n clients.  This MAY be done by distri...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to contain a disclaimer for pre-RFC5378 work, but was
     first submitted on or after 10 November 2008.  The disclaimer is usually
     necessary only for documents that revise or obsolete older RFCs, and that
     take significant amounts of text from those RFCs.  If you can contact all
     authors of the source material and they are willing to grant the BCP78
     rights to the IETF Trust, you can and should remove the disclaimer. 
     Otherwise, the disclaimer is needed and you can ignore this comment. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 26, 2012) is 4415 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  ** Obsolete normative reference: RFC  793 (Obsoleted by RFC 9293)

  ** Obsolete normative reference: RFC 1323 (Obsoleted by RFC 7323)


     Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                           K. Naito
3	Internet-Draft                                              A. Matsumoto
4	Intended status: Informational                                       NTT
5	Expires: September 27, 2012                               March 26, 2012

7	                   NAT resource optimizing extension
8	            draft-naito-nat-resource-optimizing-extension-01

10	Abstract

12	   When network address translation (NAT) is used in an address resource
13	   restricted environment, or when a lot of users are located under a
14	   NAT device, IP addresses and port resources may be eaten up, and this
15	   affects user experiences very negatively.  This situation can be
16	   greatly mitigated by tweaking mapping behavior and session timer
17	   handling in NAT functions.  This document proposes two extensions for
18	   optimizing NAT IP address and port resources in address resource
19	   restricted environments.  One extension enables simultaneous use of a
20	   NAT external port for different transport sessions, and the other
21	   makes use of a TCP timestamp for TIME_WAIT assassination.

23	Status of this Memo

25	   This Internet-Draft is submitted in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF).  Note that other groups may also distribute
30	   working documents as Internet-Drafts.  The list of current Internet-
31	   Drafts is at http://datatracker.ietf.org/drafts/current/.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   This Internet-Draft will expire on September 27, 2012.

40	Copyright Notice

42	   Copyright (c) 2012 IETF Trust and the persons identified as the
43	   document authors.  All rights reserved.

45	   This document is subject to BCP 78 and the IETF Trust's Legal
46	   Provisions Relating to IETF Documents
47	   (http://trustee.ietf.org/license-info) in effect on the date of
48	   publication of this document.  Please review these documents
49	   carefully, as they describe your rights and restrictions with respect
50	   to this document.  Code Components extracted from this document must
51	   include Simplified BSD License text as described in Section 4.e of
52	   the Trust Legal Provisions and are provided without warranty as
53	   described in the Simplified BSD License.

55	   This document may contain material from IETF Documents or IETF
56	   Contributions published or made publicly available before November
57	   10, 2008.  The person(s) controlling the copyright in some of this
58	   material may not have granted the IETF Trust the right to allow
59	   modifications of such material outside the IETF Standards Process.
60	   Without obtaining an adequate license from the person(s) controlling
61	   the copyright in such materials, this document may not be modified
62	   outside the IETF Standards Process, and derivative works of it may
63	   not be created outside the IETF Standards Process, except to format
64	   it for publication as an RFC or to translate it into languages other
65	   than English.

67	1.  Introduction

69	   After IPv4 addresses run out, IPv4 address resources will be further
70	   restricted site-by-site.  If global IPv4 address are shared between
71	   several clients, assignable port resources at each client will be
72	   limited.

74	   NAT is a tool that is widely used to deal with this IPv4 address
75	   shortage problem.  However, the demand for resources to provide
76	   Internet access to users and devices will continue to increase.IPv6
77	   is a fundamental solution to this problem, but the deployment of IPv6
78	   will take time.

80	   In some cases, e.g. browsing a dynamic web page for a map service, a
81	   lot of sessions are used by the browser, and a number of ports are
82	   eaten up in a short time.  What is worse is that when a NAT is
83	   between a PC and a server, TIME_WAIT state of each TCP connection is
84	   kept for certain period, typically for four minutes, which consumes
85	   port resources.  Therefore, new connections cannot be established.

87	   This problem is caused or worsened by the following behaviors.

89	   1: In a lot of NAT implementations, a port that is available in NAT
90	      is allocated for a transport session.That is, a NAT does not use a
91	      port for multiple sessions simultaneously.

93	   2: TIME_WAIT state assigned for a TCP connection remains active for
94	      2MSL after the last ACK to the last FIN is transferred.

96	   We propose two mechanisms to change the above behaviors that make it
97	   possible to save addresses and ports resources.

99	1.1.   TCP TIME_WAIT

101	   The TCP TIME_WAIT state is described in RFC793 [RFC0793].  The TCP
102	   TIME_WAIT state needs to be kept for 2MSL before a connection is
103	   CLOSED, for the reasons below.

105	   1: In the event that packets from a session are delayed in the in-
106	      between network, and delivered to the end relatively later, we
107	      should prevent the packets from being transferred and interpreted
108	      as a packet that belongs to a new session.
109	   2: If the remote TCP has not received the acknowledgment of its
110	      connection termination request, it will re-send the FIN packet
111	      several times.

113	   These points are important for the TCP to work without problems.

115	1.2.   TIME_WAIT Assassination

117	   A TCP server MAY accept a TCP SYN for the 5-tuple session that is
118	   just finished and marked as TIME_WAIT state, as far as the TCP
119	   sequence number is increased.  This is known as TIME-WAIT
120	   assassination.  It should also be noted that some assassination
121	   hazards are described in RFC1337 [RFC1337].

123	1.3.   Protect Against Wrapped Sequence numbers (PAWS)

125	   The TCP sequence number wraps frequently especially in a high
126	   bandwidth session.  PAWS is used to prevent old duplicate packets
127	   that occurred in a previous session from being transferred to the new
128	   session whose valid TCP sequence numbers happen to overlap with the
129	   old duplicate packets.  This is implemented by introducing TCP
130	   timestamp option, and checking the timestamp option value of each
131	   packet.  PAWS is described in RFC1323 [RFC1323].

133	2.   NAT resource optimizing extension proposal

135	2.1.   Port overloading mechanism

137	   If destination addresses and ports are different at the outgoing
138	   sessions started by local clients, NAT MAY assign the same external
139	   port as the source ports at the sessions.  Port overlapping mechanism
140	   manages mappings between external packets and internal packets by
141	   looking at and storing the 5-tuple (protocol, source address, source
142	   port, destination address, destination port) of them.  Thus, enables
143	   concurrent use of single port for multiple transport sessions, which
144	   enables NAT to work correctly in IP address resource limited network.

146	   Discussions:

148	   RFC4787 [RFC4787] and RFC5382 [RFC5382] requires "endpoint-
149	   independent mapping" at NAT, and port overlapping NAT cannot meet the
150	   requirement.  This mechanism can degrade the transparency of NAT in
151	   that its mapping mechanism is endpoint-dependent and makes NAT
152	   traversal harder.  However, if a NAT adopts endpoint-independent
153	   mapping together with endpoint-dependent filtering, then the actual
154	   behavior of the NAT will be the same as port overlapping NAT.  It
155	   should also be noted that a lot of existing NAT devices adopted this
156	   port overlapping mechanism.

158	2.2.   Apply RFC6191 to NAT

160	   RFC 6191 [RFC6191] defines a mechanism for reducing the TIME_WAIT
161	   state using TCP timestamps.  This document proposes to apply this
162	   RFC6191 mechanism at NAT.  By tracing timestamp values in NAT that
163	   manages states of traversing TCP sessions, a TIME_WAIT remaining
164	   wait-time can be reduced to zero, when a TCP-SYN packet carrying a
165	   larger timestamp value arrives.  In this case, PAWS (Protect Against
166	   Wrapped Sequence Numbers) works to discard old duplicate packets at
167	   NAT.  A packet can be discarded as an old duplicate if it is received
168	   with a timestamp value less than a timestamp recently received on the
169	   connection.  When there are several clients with nonsuccessive
170	   timestamp values are connected to a NAT device (i.e. not
171	   monotonically increasing among clients), it prevents some clients
172	   from getting a port to start a connection for a long time because
173	   other clients with larger timestamp values are preferred.Two
174	   workarounds for this issue are described below.

176	2.2.1.   Rewrite timestamp values at NAT

178	   Rewrite timestamp values of outgoings packets at NAT to be
179	   monotonically increasing.

181	2.2.2.   Split an assignable number of port space to each client

183	   Set some rules among clients connecting to NAT, e.g., split
184	   assignable ports between clients.  This MAY be done by distributing
185	   rules to clients via NAT equipment.

187	3.  Security Considerations

189	   Security issues are not discussed in this memo.

191	4.  Normative References

193	   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
194	              RFC 793, September 1981.

196	   [RFC1323]  Jacobson, V., Braden, B., and D. Borman, "TCP Extensions
197	              for High Performance", RFC 1323, May 1992.

199	   [RFC1337]  Braden, B., "TIME-WAIT Assassination Hazards in TCP",
200	              RFC 1337, May 1992.

202	   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
203	              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
204	              RFC 4787, January 2007.

206	   [RFC5382]  Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
207	              Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
208	              RFC 5382, October 2008.

210	   [RFC6191]  Gont, F., "Reducing the TIME-WAIT State Using TCP
211	              Timestamps", BCP 159, RFC 6191, April 2011.

213	Authors' Addresses

215	   Kengo Naito
216	   NTT SI Lab
217	   3-9-11 Midori-Cho
218	   Musashino-shi, Tokyo  180-8585
219	   Japan

221	   Phone: +81 422 59 4949
222	   Email: naito.kengo@lab.ntt.co.jp
223	   Arifumi Matsumoto
224	   NTT SI Lab
225	   3-9-11 Midori-Cho
226	   Musashino-shi, Tokyo  180-8585
227	   Japan

229	   Phone: +81 422 59 3334
230	   Email: arifumi@nttv6.net