idnits 2.17.1 draft-vinapamula-softwire-dslite-prefix-binding-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 5, 2015) is 3186 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 4941 (Obsoleted by RFC 8981) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Vinapamula 3 Internet-Draft Juniper Networks 4 Intended status: Best Current Practice M. Boucadair 5 Expires: February 6, 2016 France Telecom 6 August 5, 2015 8 Recommendations for Prefix Binding in the Softwire DS-Lite Context 9 draft-vinapamula-softwire-dslite-prefix-binding-08 11 Abstract 13 This document discusses issues induced by the change of the Dual- 14 Stack Lite (DS-Lite) Basic Bridging BroadBand (B4) IPv6 address and 15 sketches a set of recommendations to solve those issues. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on February 6, 2016. 34 Copyright Notice 36 Copyright (c) 2015 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 53 2. The Problem . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. Introducing Subscriber-Mask . . . . . . . . . . . . . . . . . 4 55 4. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 4 56 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 57 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 58 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 59 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 60 8.1. Normative references . . . . . . . . . . . . . . . . . . 6 61 8.2. Informative references . . . . . . . . . . . . . . . . . 7 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 64 1. Introduction 66 IPv6 deployment models assume IPv6 prefixes are delegated by Service 67 Providers to the connected CPEs (Customer Premises Equipments) or 68 hosts, which in turn derive IPv6 addresses out of that prefix. In 69 the case of DS-Lite [RFC6333], which is an IPv4 service continuity 70 mechanism over an IPv6 network, the Basic Bridging BroadBand (B4) 71 element derives an IPv6 address for the IPv4-in-IPv6 softwire setup 72 purposes. 74 The B4 element might obtain a new IPv6 address, for a variety of 75 reasons that include (but are not limited to) a reboot of the CPE, 76 power outage, DHCPv6 lease expiry, or other actions undertaken by the 77 Service Provider. If this occurs, traffic forwarded to a B4's 78 previous IPv6 address may never reach its destination or be delivered 79 to another B4 that now uses the address formerly assigned to the 80 original B4. This situation affects all mapping types, both implicit 81 (e.g., by sending a TCP SYN) and explicit (e.g., using Port Control 82 Protocol (PCP) [RFC6887]). The problem is further elaborated in 83 Section 2. 85 This document proposes recommendations to soften the impact of such 86 renumbering issues (Section 4). 88 Note that in some deployments, CPE renumbering may be required to 89 accommodate some privacy-related requirements to avoid assigning the 90 same prefix to the same customer. It is out of scope of this 91 document to discuss such contexts. 93 This document complements [RFC6908]. 95 1.1. Requirements Language 97 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 98 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 99 document are to be interpreted as described in [RFC2119]. 101 2. The Problem 103 Since private IPv4 addresses assigned to hosts serviced by a B4 104 element are overlapping across multiple CPEs, the IPv6 address of a 105 B4 element plays a key role in de-multiplexing connections, enforcing 106 policies, and in identifying associated resources assigned for each 107 of the connections maintained by the Address Family Transition Router 108 (AFTR, [RFC6333]). For example, these resources maintain state of 109 Endpoint-Independent Mapping (EIM, Section 4.1 of [RFC4787]), 110 Endpoint-Independent Filtering (EIF, Section 5 of [RFC4787]), 111 preserve the external IPv4 address assigned in the AFTR (i.e., "IP 112 address pooling" behavior as defined in Section 4.1 of [RFC4787]), 113 PCP mappings, etc. 115 However, the IPv6 address used by the B4 element may change for some 116 reason, e.g., because of a change in the CPE itself or maybe because 117 of privacy extensions enabled for generating the IPv6 address (e.g., 118 [RFC7217] or [RFC4941]). Whenever the B4's IPv6 address changes, the 119 associated mappings created in the AFTR are no longer valid. This 120 may result in the creation of a new set of mappings in the AFTR. 122 Furthermore, a misbehaving user may be tempted to change the B4's 123 IPv6 address in order to "grab" more ports and resources at the AFTR 124 side. This behavior can be seen as a potential Denial of Service 125 (DoS) attack from misbehaving users. Note that this DoS attack can 126 be achieved whatever the port assignment policy enforced by the AFTR 127 (individual ports, port sets, randomized port bulks, etc.). 129 Service Providers may want to enforce policies in order to limit the 130 usage of the AFTR resources on a per-subscriber basis for fairness of 131 resource usage (see REQ-4 of [RFC6888]). These policies are used for 132 dimensioning purposes and also to ensure that AFTR resources are not 133 exhausted. If the derived B4's IPv6 address can change, resource 134 tracking using that address will give incomplete results. Also, 135 whenever the B4's IPv6 address changes, enforcing policies based on 136 this address doesn't resolve stale mappings hanging around in the 137 system, consuming not only system resources, but also reducing the 138 available quota of resources per subscriber. Clearing those mappings 139 can be envisaged, but that will cause a lot of churn in the AFTR and 140 could be disruptive to existing connections, which is not desirable. 142 When application servers are hosted behind a B4 element, and when 143 there is a change of the B4's IPv6 address which results in a change 144 of the external IPv4 address and/or the external port number at the 145 AFTR side, these servers have to advertise about their change (see 146 Section 1.1 of [RFC7393]). Means to discover the change of B4's IPv6 147 address, the external IPv4 address and/or the external port are 148 therefore required. Latency issues are likely to be experienced when 149 an application server has to advertise its newly assigned external 150 IPv4 address and port, and the application clients have to discover 151 that newly assigned address and/or port and re-initiate connections 152 with the application server. 154 A solution to these problems is to enforce policies based on the IPv6 155 prefix assigned to DS-Lite serviced subscribers instead of the B4's 156 IPv6 address. Section 3 introduces the subscriber-mask that is meant 157 to derive the IPv6 prefix assigned to a subscriber's CPE from the 158 source IPv6 address of a packet received from a B4 element. 160 3. Introducing Subscriber-Mask 162 The subscriber-mask is defined as an integer that indicates the 163 length of significant bits to be applied on the source IPv6 address 164 (internal side) to identify unambiguously a CPE. 166 Subscriber-mask is an AFTR system-wide configuration parameter that 167 is used to enforce generic per-subscriber policies. Applying these 168 generic policies does not require configuring every subscriber's 169 prefix. 171 Subscriber-mask must be configurable; the default value is 56. 173 Example: suppose the 2001:db8:100:100::/56 prefix is assigned to a 174 DS-Lite enabled CPE. Suppose also that the 2001:db8:100:100::1 175 address is the IPv6 address used by the B4 element that resides in 176 that CPE. When the AFTR receives a packet from this B4 element 177 (i.e., the source address of the IPv4-in-IPv6 packet is 178 2001:db8:100:100::1), the AFTR applies the subscriber-mask (e.g., 56) 179 on the source IPv6 address to compute the associated prefix for this 180 B4 element (that is 2001:db8:100:100::/56). Then, the AFTR enforces 181 policies based on that prefix (2001:db8:100:100::/56), not on the 182 exact source IPv6 address. 184 4. Recommendations 186 In order to mitigate the issues discussed in Section 2, the following 187 recommendations are made: 189 1. A policy SHOULD be enforced at the AFTR to limit the number of 190 active DS-Lite softwires per subscriber. The default value MUST 191 be 1. 193 This policy aims to prevent a misbehaving subscriber from 194 mounting several DS-Lite softwires that would consume 195 additional AFTR resources (e.g., get more external ports if 196 the quota were enforced on a per-softwire basis, consume extra 197 processing induced by a large number of active softwires). 199 2. Resource contexts created and maintained by the AFTR SHOULD be 200 based on the delegated IPv6 prefix instead of the B4's IPv6 201 address. The AFTR derives the delegated prefix from the B4's 202 IPv6 address by means of a configured subscriber-mask 203 (Section 3). Administrators SHOULD configure per-prefix limits 204 of resource usage, instead of per-tunnel limits. These resources 205 include the maximum number of active flows, the maximum number of 206 PCP-created mappings, NAT pool resources, etc. 208 3. In the event a new IPv6 address is assigned to the B4 element, 209 the AFTR SHOULD migrate existing state to be bound to the new 210 IPv6 address. This operation ensures that traffic destined to 211 the previous B4's IPv6 address will be redirected to the newer 212 B4's IPv6 address. The destination IPv6 address for tunneling 213 return traffic from the AFTR SHOULD be the last seen as the B4's 214 IPv6 source address from the CPE. 216 This recommendation avoids stale mappings at the AFTR and 217 minimizes the risk of service disruption for subscribers. 219 The AFTR uses the subscriber-mask to determine whether two 220 IPv6 addresses belong to the same CPE (e.g., if the 221 subscriber-mask is set to 56, the AFTR concludes that 222 2001:db8:100:100::1 and 2001:db8:100:100::2 belong to the same 223 CPE assigned with 2001:db8:100:100::/56). 225 4. In the event of change of the CPE WAN's IPv6 prefix, unsolicited 226 PCP ANNOUNCE messages SHOULD be sent by the B4 element to 227 internal hosts connected to the PCP-capable CPE so that they 228 update their mappings accordingly. 230 This allows internal PCP clients to update their mappings with 231 the new B4's IPv6 address and to trigger updates to rendez- 232 vous servers (e.g., dynamic DNS). A PCP-based dynamic DNS 233 solution is specified in [RFC7393]. 235 5. When a new prefix is assigned to the CPE, stale mappings may 236 exist in the AFTR. This will consume both implicit and explicit 237 resources. In order to avoid such issues, stable IPv6 prefix 238 assignment is RECOMMENDED. 240 6. In case for any reason an IPv6 prefix has to be reassigned, it is 241 RECOMMENDED to reassign an IPv6 prefix (that was previously 242 assigned to a given CPE) to another CPE only when all the 243 resources in use associated with that prefix are cleared from the 244 AFTR. Doing so avoids redirecting traffic, destined to the 245 previous prefix owner, to the new one. 247 5. Security Considerations 249 Security considerations related to DS-Lite are discussed in 250 [RFC6333]. 252 Enforcing the recommendations documented in Section 4 together with 253 rate limiting softwires with new source IPv6 addresses from the same 254 prefix defend against DoS attacks that would result in varying the 255 B4's IPv6 address to exhaust AFTR resources. A misbehaving CPE can 256 be blacklisted by enforcing appropriate policies based on the prefix 257 derived from the subscriber-mask. 259 Also, the recommendations in Section 4 ensure the traffic is 260 forwarded to a legitimate CPE. If those recommendations are not 261 implemented, privacy concerns may arise (e.g., If an IPv6 prefix is 262 reassigned while mapping entries associated with that prefix are 263 still active in the AFTR, sensitive data that belong to a previous 264 prefix owner may be disclosed to the new prefix owner). 266 6. IANA Considerations 268 This document does not require any action from IANA. 270 7. Acknowledgements 272 G. Krishna, C. Jacquenet, I. Farrer, Y. Lee, Q. Sun, R. Weber, 273 and T. Taylor provided useful comments. Many thanks to them. 275 8. References 277 8.1. Normative references 279 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 280 Requirement Levels", BCP 14, RFC 2119, 281 DOI 10.17487/RFC2119, March 1997, 282 . 284 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 285 Stack Lite Broadband Deployments Following IPv4 286 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 287 . 289 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 290 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 291 DOI 10.17487/RFC6887, April 2013, 292 . 294 8.2. Informative references 296 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 297 Translation (NAT) Behavioral Requirements for Unicast 298 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 299 2007, . 301 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 302 Extensions for Stateless Address Autoconfiguration in 303 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 304 . 306 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 307 A., and H. Ashida, "Common Requirements for Carrier-Grade 308 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 309 April 2013, . 311 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 312 Boucadair, "Deployment Considerations for Dual-Stack 313 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 314 . 316 [RFC7217] Gont, F., "A Method for Generating Semantically Opaque 317 Interface Identifiers with IPv6 Stateless Address 318 Autoconfiguration (SLAAC)", RFC 7217, 319 DOI 10.17487/RFC7217, April 2014, 320 . 322 [RFC7393] Deng, X., Boucadair, M., Zhao, Q., Huang, J., and C. Zhou, 323 "Using the Port Control Protocol (PCP) to Update Dynamic 324 DNS", RFC 7393, DOI 10.17487/RFC7393, November 2014, 325 . 327 Authors' Addresses 328 Suresh Vinapamula 329 Juniper Networks 330 1194 North Mathilda Avenue 331 Sunnyvale, CA 94089 332 USA 334 Phone: +1 408 936 5441 335 EMail: sureshk@juniper.net 337 Mohamed Boucadair 338 France Telecom 339 Rennes 35000 340 France 342 EMail: mohamed.boucadair@orange.com