[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00

NAT Working Group                                            NEC USA
INTERNET-DRAFT                                               Jeffrey Lo
Category: Informational                                      K.Taniguchi
Expire in six months                                         November,1998


     IP Host Network Address (and Port) Translation
                     <draft-ietf-nat-hnat-00.txt>

Status of this Memo

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its
   areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-
   Drafts as reference material or to cite them other than as
   "work in progress."

   To view the entire list of current Internet-Drafts, please check
   the "1id-abstracts.txt" listing contained in the Internet-Drafts
   Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
   (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
   (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
   (US West Coast).


Abstract

   Network Address Translation has become a popular technique that
   allows private addresses unregistered with Internet Assigned Number
   Authority (IANA) to be used by organizations within a private routing
   realm. These private addresses must not be advertised in the public
   Internet. Hence network address translator (NAT) are placed at the
   private routing realm border to translate private addresses to globally
   unique addresses and vice versa before packets are exchanged between
   the disparate routing realms. These modifications of the packet header
   by the NAT cause problems with the use of end-to-end security protocols
   such as IPSec and DNSSEC because network address translation does
   exactly what the security protocols are trying to prevent.

   Host Network Address Translation (HNAT) and Host Network Address Port
   Translation (NAPT), on the other hand, enable end hosts to carry out
   address (and port) translations before applying security algorithms. To
   make dynamic HNAT and HNAPT possible, three conditions are essential.
   First, there must exist a way for end hosts to discover the IP address
   of Host-NA(P)T-Server. Second, there must be a way for externally
   destined packets to be routed in the private domain between the Host
   -NA(P)T-Client and Host-NA(P)T-Server. Lastly, Host-NA(P)T-Client must
   be able to obtain an address (and port) binding from the Host-NA(P)T
   -Server dynamically. This draft aims to address these issues to a


   Jeffrey Lo, K.Taniguchi                                      [page 1]


Internet Draft  Host Network Address (and Port) Translation  November 1998


   considerable extent. Methods suggested are by no means exhaustive in
   coverage and implementation specifics may vary from vendor to vendor.

1. Introduction

   NAT itself takes several flavors, including traditional NAT (basic NAT
   and Network Address Port Translation (NAPT)), Two-way NAT, Twin NAT,
   Host NAT and Host NAPT [1].  Traditional NAT only allows outbound
   session from private to public domains. While basic NAT uses one to one
   mapping at the private domain border, NAPT allows many private addresses
   to one global address mapping by utilizing transport level port
   information, e.g. TCP port and UDP port [2]. In addition to outbound
   session, two-way NAT also enables inbound session from public to private
   network. Twin NAT are used in cases when there is an overlap of address
   assignment between the disparate domains by changing both the source and
   destination fields. Host NAT and NAPT allow network address (and port)
   translation to be done by the Host-NA(P)T-Client hence eliminating the
   traditional NAT limitation of having to do the translation at the
   border of the private realm.

   By using host NAT and NAPT, communicating host are able to exercise end
   to end security by doing the address (and port) translation before
   applying security mechanism. This solves the problem of using security
   mechanisms such as IPSec and DNSSEC in NAT environment. Applications
   relaying IPv4 addresses and port information in the payload of their
   messages may find HNAT a valuable alternative to having application
   specific application-level-gateway (ALG) on the NAT.

   In a static HNAT and HNAPT environment, each host-NA(P)T-client needing
   to establish end-to-end sessions with an entity outside the private
   routing realm are statically assigned global addresses (and port).
   After performing the necessary address (and port) translation, packets
   are tunneled to the Host-NA(P)T-Server by encapsulating it within an
   internally addressed header. Host-NA(P)T-Server removes the tunneling
   header before forwarding the packet to the external realm.

   In a dynamic environment, in addition to the requirement of routing
   externally destined packets within the private domain which could be
   handled by tunneling as proposed in [1], Host-NA(P)T-Client must be able
   to discover IP addresses of Host-NA(P)T-Servers attached to the private
   realm. This information could be manually or automatically configured. A
   scheme has to be devised for automatic configuration to be possible.
   Host-NA(P)T-Client must also be able to obtain an address (and port)
   binding from the Host-NA(P)T-Server dynamically through a light weight
   protocol that enables not only address but port negotiation. We propose
   Dynamic Bindings Acquisition Protocol (DBAP) to serve this purpose.

2. Terminology

   Address Manager
   An entity responsible for global address and port assignment to Host-


Jeffrey Lo, K.Taniguchi                                          [page 2]


Internet Draft  Host Network Address (and Port) Translation  November 1998


   NAT-Client. The address manager also maintains a private-global address
   and port mapping of all bindings and other related parameters such as
   maximum leased time of the binds.

   External Entity
   An entity physically located within a globally unique routing realm.

   Global Address
   A globally unique address assigned by Internet Assigned Number Authority
   (IANA).

   Private Address
   Addresses used in a private routing realm which are not registered with
   IANA. Typically but not necessarily, these addresses are within the
   Range 10.0/8, 172.16/12 and 192.168/16 assigned by IANA. If addresses
   Other than the range above were used, twin NAT would have to be deployed
   at the border.

   Host-NAT-Client
   A host in private network that adopts an address in external realm when
   connecting to hosts in that realm to pursue end-to-end communication

   Host-NAPT-Client
   A host in private network that adopts an address in the external realm
   and port assigned by the address manager when connecting to hosts in
   that realm to pursue end-to-end communication

   Host-NAT-Server
   A node that is resident on both private and external realms that can
   facilitate routing of external realm packets within private realm.

   Host-NAPT-Server
   A node that is resident on both private and external realms that can
   facilitate routing of external packets within private realm. In
   addition, Host-NAPT-Server does one to many mapping of a global address
   to multiple private address by manipulating transport layer port
   information.

   Inbound Session
   A communication session initiated by an external entity.

   Outbound Session
   A communication session initiated by a Host-NAT-Client.

3. Overview of Dynamic HNAT

   In a HNAT environment where global addresses are dynamically assigned,
   host-NAT-clients obtain global address assignment from the
   address manager when communication needs to be establish with an
   external entity. This address manager may or may not reside on the host
   -NAT-server. Such a mechanism for dynamically obtaining private to


Jeffrey Lo, K.Taniguchi                                          [page 3]


Internet Draft  Host Network Address (and Port) Translation  November 1998


   global address binding is discussed in Section 5. After obtaining a
   global address assignment, all communications between the two entity use
   globally unique addresses and would requires no translation by
   intermediary process.

   Certain routing mechanism would be required to route the end-to-end
   packets within private realm. Such a routing is usually facilitated by
   the Host-NAT-Server. Two approaches are defined in [1] which are
   repeated here. One approach would be to embed the packet within an IP
   packet such that the outer packet is addressed between the Host-NAT
   -Client's private address and the external peer. Hence NAT router in
   between could provide transparent routing of the outer packet by
   translating the outer IP header en-route. A second approach would be to
   embed the end-to-end packet inside a tunnel while traversing in the
   private network, such that the tunnel is addressed between Host-NAT
   -Client's private address and a router resident on both realms.

   A Host-NAT-Client has the following characteristics.

   1. Aware of the realm to which its peer nodes belong.

   2. Assumes an address from external realm when communicating with hosts
      in that realm. Such an address may be assigned statically or in the
      case of dynamic HNAT, obtained dynamically from the address manager.

   3. Route packets to external hosts using an approach amenable to
      Host-NAT-Server. In all cases, Host-NAT-Client will likely need to
      act as a tunnel end-point, capable of encapsulating end-to-end
      packets while forwarding and decapsulating in the return path.

   A Host-NAT-Server has the following characteristics.

   1. May be configured with address manager to assign address from
      external realm to Host-NAT-Client either statically or dynamically.

   2. Must be a router resident on both the private and external routing
      realms.

   3. Must be able to provide a mechanism to route external realm packets
      within private realm. Of the two approaches described, the first
      approach requires Host-NAT-Server to be a NAT router providing
      transparent routing for the outer header. This approach requires the
      external peer to be a tunnel end point.

      With the second approach, a Host-NAT-Server could be any router that
      can be a tunnel end-point with Host-NAT-Clients. It would detunnel
      end-to-end packets outbound from Host-NAT-Clients and forward to
      external hosts. On the return path, it would locate Host-NAT-Client
      tunnel, based on the destination address of the end-to-end packet and
      encapsulate the packet in a tunnel to forward to Host-NAT-Client.



Jeffrey Lo, K.Taniguchi                                          [page 4]


Internet Draft  Host Network Address (and Port) Translation  November 1998


4. Overview of HNAPT

   HNAPT is similar to HNAT by allowing Host-NAPT-Client to do network and
   port translation on behalf of Host-NAPT-Server. Many to one mapping is
   possible by allowing multiple private addresses to share a single global
   address, multiplexed base on transport identifiers such as TCP/UDP port
   numbers and ICMP Query Ids.

   Host-NAPT-Clients are identified by a tuple of both address and port
   assignment. Methods discussed in the previous section could be used to
   route HNAPT packets within the private routing realm. Since a
   combination of destination address and transport identifier are used by
   Host-NAPT-Server to identify Host-NAPT-Client, confidentiality provided
   by security mechanisms that hide the transport identifier cannot be
   permitted to work with HNAPT, although authentication and integrity can
   be attained. Host-NAPT-Client would need to be able to acquire a port or
   range of port binding from the Host-NAPT-Server. Such requirement could
   be satisfied by DBAP discussed in section 5.

5. Dynamic Binding Acquisition Protocol (DBAP)

   Dynamic Binding Acquisition Protocol (DBAP) provides a way for Host-
   NA(P)T-Client to dynamically acquire a private address to global address
   (and port) binding from the address manager. While Port Distribution
   Protocol (PDP) proposed in [4] solves the issue of dynamic port
   assignment, the scheme focuses mainly on small-scale implementation
   of NAT where only a single global unique address is managed by the NAT
   device. This IP address is also assumed to be static or not to change
   frequently. Hence there is no way to resolve unique address assignment
   using PEP, which is fundamental when more than one global address is
   managed by the address manager. Hence DBAP is introduced as a more
   generic protocol that enables both dynamic address and port assignment.
   DBAP request and response could be carried as ICMP type or over TCP or
   UDP. Six message types are defined at this moment. More message types
   and functionality will be introduced as the scheme progresses toward a
   more mature stage of development.

   Extension of DBAP to Twin NAT environment will be studied and added in
   Later version of Internet Draft.

   The table below describes the direction of the message :

        Message Type                    Direction

        Assign Request                  Host-NAT-Client -> Host-NAT-Server
        Assign Response                 Host-NAT-Server -> Host-NAT-Client
        Free Request                    Host-NAT-Client -> Host-NAT-Server
        Free Response                   Host-NAT-Server -> Host-NAT-Client
        ERROR Response                  Host-NAT-Server -> Host-NAT-Client
        End Notification                Host-NAT-Server -> Host-NAT-Client



Jeffrey Lo, K.Taniguchi                                          [page 5]


Internet Draft  Host Network Address (and Port) Translation  November 1998


5.1 ASSIGN REQUEST

   Assign Request is used by Host-NA(P)T-Client for requesting a global
   address (and port) assignments from the Address Manager. In cases when
   multiple global addresses are required, multiple assign request each
   with a different BindID [5] must be sent. If an ASSIGN RESPONSE
   corresponding to an ASSIGN REQUEST is not received from the
   Host-NA(P)T-Server, Host-NA(P)T-Client may issue another ASSIGN REQUEST
   with the same BindID after a default timeout, the ASSIGN-WAIT time.
   Host-NA(P)T-Server receiving more than one successful ASSIGN REQUEST
   with the same BINDID should discard the subsequent requests and response
   with ASSIGN RESPONSE. Format of the message is shown below.


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |          Checksum             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BindID                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Num. of Ports         |         Lowest Port           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Global IP Address Assigned                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |        Max. Lease Time        |             Unused            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                 ASSIGN REQUEST Format

   Type : to be defined
   Code : 0
   Checksum : 16-bit 1's complement of the 1's complement sum of the entire
              request. The checksum itself is set to 0 during computation.
   BindID : A randomly generated value in the range 0x1 to 0xFFFFFFFF by
            Host-NA(P)T-Client during first ASSIGN REQUEST pertaining to a
            BIND. This value should be included in every DBAP exchanged
            pertaining to that BIND and would be maintained by the Host
            -NAT-Server as a binding identifier.
   Num. of Port : Number of port requested. This field is 0 when no port
                  Translation is used.
   Lowest Port : Must be set to 0
   Global IP Address Assigned : Must be set to 0
   MaxLeaseTime : Maximum time interval in second that Host-NAT-Client
                  wishes the Host-NAT-Server to reserve the BIND. This
                  value should be 0 if it is not used.
   Unused : Must be set to 0.






Jeffrey Lo, K.Taniguchi                                          [page 6]


Internet Draft  Host Network Address (and Port) Translation  November 1998


5.2 ASSIGN RESPONSE

   ASSIGN RESPONSE is used to inform requesting Host-NA(P)T-Client of
   the newly assigned global address, port and other parameters related to
   the assignment.


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |          Checksum             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BindID                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Num. of Ports         |         Lowest Port           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                   Global IP Address Assigned                  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |        Max. Lease Time        |             Unused            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                              ASSIGN RESPONSE Format

   Type : to be defined
   Code : 1
   Checksum : 16-bit 1's complement of the 1's complement sum of the entire
              request. The checksum itself is set to 0 during computation.
   BindID : BINDID of the ASSIGN REQUEST that this response corresponds to.
   Num. of Ports : Total number of ports allocated to the host, when no
                   port translation is used, this field must be zero.
   Lowest Port : Lowest port number allocated in the block, when no port
                 translation is used, this field must be zero.
   Global IP Address Assigned : This field contains the global IP address
                                assigned by the NAT device. Even if only
                                one global address is managed by the Host
                                -NA(P)T-Server, this field must be filled
                                with that address.
   MaxLeaseTime : Maximum time interval Host-NAT-Server allocates for this
                  BIND. This value should be 0 if it is not used.
   Unused : Must be 0

   In case of port translation, Address manager is free to allocate a
   number of port less than that requested by Host-NAT-Client. At the same
   time, Host-NAT-Server is free to allocate a smaller lease time than that
   requested.

5.3 FREE REQUEST

   FREE REQUEST is used by Host-NAT-Client to free an address or port
   assignment. If a FREE RESPONSE corresponding to a FREE REQUEST is not
   received from the Host-NA(P)T-Server, Host-NA(P)T-Client may issue


Jeffrey Lo, K.Taniguchi                                          [page 7]


Internet Draft  Host Network Address (and Port) Translation  November 1998


   another FREE REQUEST with the same BindID, address and port information
   after a default timeout, the FREE-WAIT time. Host-NA(P)T-Server
   receiving a valid FREE REQUEST for a bind should convert the bind to
   FIN-WAIT state and wait for a FIN-WAIT time interval before releasing
   the bind. Host-NA(P)T-Server receiving more than one FREE REQUEST with
   the same BINDID, address and port information during the FIN-WAIT
   interval should discard the subsequent requests and reply with FREE
   RESPONSE. FIN-WAIT interval should be greater than FREE-WAIT interval.

   Host-NAPT-Clients are able to free a subset of the port range reserved.
   Port ranges not freed should be freed by subsequent FREE REQUEST or
   would be deleted when Maximum Lease Time elapses. If Host-NAT-Clients
   try to free a port range that exceeds the range of the bind, Host-NAT
   -Server must return ERROR RESPONSE with error code Incorrect Port Range
   and keeps the bind intact. Although BDAP does support subset port range
   release, we do not recommend this practice since it would greatly
   complicate Host-NAT-Server side implementations.


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |          Checksum             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BindID                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Num. of Ports         |         Lowest Port           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Global IP Address Assigned                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                 FREE REQUEST Format

   Type : to be defined
   Code : 2
   Checksum : 16-bit 1's complement of the 1's complement sum of the entire
              request. The checksum itself is set to 0 during computation.
   BindID : BINDID of the ASSIGN REQUEST that this request corresponds to.
   Num. of Ports : Total number of ports in the block to be freed, when no
                   port translation is used, this field must be zero.
   Lowest Port : Lowest port number in the block to be freed, when no port
                 translation is used, this field must be zero.
   Global IP Address Assigned : Global address to be freed

5.4 FREE RESPONSE

    FREE RESPONSE must be sent by Host-NA(P)T-Server for every valid FREE
    REQUEST processed.





Jeffrey Lo, K.Taniguchi                                          [page 8]


Internet Draft  Host Network Address (and Port) Translation  November 1998


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |          Checksum             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BindID                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Num. of Ports         |         Lowest Port           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Global IP Address Assigned                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                 FREE RESPONSE Format

   Type : to be defined
   Code : 3
   Checksum : 16-bit 1's complement of the 1's complement sum of the entire
              request. The checksum itself is set to 0 during computation.
   BindID : BINDID of the ASSIGN REQUEST that this response corresponds to.
   Num. of Ports : Total number of ports in the block freed, when no port
                   translation is used, this field must be zero.
   Lowest Port : Lowest port number in the block freed, when no port
                 translation is used, this field must be zero.
   Global IP Address Assigned : Global address freed by Host-NA(P)T-Server.

5.5 ERROR RESPONSE

   ERROR RESPONSE are sent by Host-NA(P)T-Server to Host-NA(P)T-Client in
   response to any error conditions that my arise.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |          Checksum             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BindID                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          Error Code           |           Unused              |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                 ERROR RESPONSE Format

   Type : to be defined
   Code : 4
   Checksum : 16-bit 1's complement of the 1's complement sum of the entire
              request. The checksum itself is set to 0 during computation.
   BindID : BINDID of the ASSIGN REQUEST that this response corresponds to.
   Error Code : Reason for the Error. Vendor specific error codes could be
                introduced.




Jeffrey Lo, K.Taniguchi                                          [page 9]


Internet Draft  Host Network Address (and Port) Translation  November 1998


                Error Codes             Error
                0x01                    Bad Request
                0x02                    BindID Not Found
                0x03                    Wrong BindID
                0x04                    Out of Port
                0x05                    Out of Address
                0x06                    Unauthorized
                0x07                    Incorrect Port Range
                0x08                    Incorrect Address
   Unused : Must be 0.

   Bad Request
   Request format not understood by Host-NA(P)T-Server

   BindID Not Found
   BindID in the DBAP message is not found on Host-NA(P)T-Server record.

   Wrong BindID
   Bind record on Host-NA(P)T-Server specified by BindID on message does
   not belong to this Host-NA(P)T-Client.

   Out of Port
   This error code is used in response to ASSIGN REQUEST. Host-NAPT-Server
   is temporary out of unassigned port range

   Out of Address
   This error code is used in response to ASSIGN REQUEST. Host-NAT-Server
   is temporary out of unassigned global address

   Unauthorized
   This error code is used in response ASSIGN REQUEST. Host-NA(P)T-Client
   is not authorized to obtain bindings with this Host-NA(P)T-Server. This
   error response could be return after checking with a policy module.

   Incorrect Port Range
   This error code is used in response to FREE REQUEST. Port range in the
   FREE REQUEST is not correct for the bind record on Host-NAPT-server.

   Incorrect Address
   This error code is used in response to FREE REQUEST. Address contained
   in the FREE REQUEST is not correct for the bind record on
   Host-NA(P)T-server.

5.6 END Notification

   END Notification is sent by Host-NA(P)T-Server for informing Host
   -NA(P)T-Client of the expiration of a particular bind. Again,
   Host-NA(P)T-Server must wait for FIN-WAIT interval before releasing the
   bind.




Jeffrey Lo, K.Taniguchi                                          [page 10]


Internet Draft  Host Network Address (and Port) Translation  November 1998


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |          Checksum             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BindID                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Num. of Ports         |         Lowest Port           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Global IP Address Assigned                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                 END Notification Format

   Type : to be defined
   Code : 5
   Checksum : 16-bit 1's complement of the 1's complement sum of the entire
              request. The checksum itself is set to 0 during computation.
   BindID : BINDID of the ASSIGN REQUEST that this notification corresponds
            to.
   Num. of Ports : Total number of ports in the block to be ended, when no
                   port translation is used, this field must be zero.
   Lowest Port : Lowest port number in the block to be ended, when no port
                 translation is used, this field must be zero.
   Global IP Address Assigned : Global IP address this notification refers
                                to .

   Host-NA(P)T-Clients are not expected to acknowledge receipt of this
   notification. After FIN-WAIT interval elapsed, data packets received
   pertaining to this bind will be responded with an ICMP host unreachable
   response.

6. Scenarios

   The scenarios quoted are common examples of how HNAT and DBAP could be
   exploited in real life. In scenarios pertaining to DNS lookup DNSSEC is
   assumed to be implemented on all DNS servers. Although the mechanism
   could be extended to all end-to-end security mechanism, IPsec is used in
   the examples due to its popularity today. Private routing realms are
   assumed to have global routing capabilities, that is, addresses from
   external domains are advertised by the NAT router in the private domain
   but not the other way round. At least one DNS server within the private
   realm is responsible in handling queries from external entity and, for
   simplicity, such DNS servers are assumed to be statically assigned a
   global address each. Security Association (SA) negotiation using
   Internet Security Association and Key Exchange Protocol (ISAKMP) in NAT
   Environment is outside the scope of this document. This issue may be
   addressed in the work-in-progress Internet Draft [6]. Hence for
   simplicity, end hosts are assume to have the security association (SA)
   negotiation completed using ISAKMP and details of ISAKMP negotiation,
   particularly ISAKMP SA establishment and Internet Key Exchange (IKE),


Jeffrey Lo, K.Taniguchi                                          [page 11]


Internet Draft  Host Network Address (and Port) Translation  November 1998


   are omitted. These scenarios illustrate address translation without
   port translation, cases of port translation could be extended without
   too much effort.

6.1 Outbound Data Session with End-to-End Security (IPSEC)

   Here we consider the outbound data stream of a session between an
   External entity X and an internal host A with IP security. IP tunneling
   is used to route the packet in private realm.

   1. First of all, host A request a global address from Host-NAT-Server
      using DBAP. It sends a DBAP ASSIGN REQUEST with a randomly generated
      BINDID field and "Lowest Port", "Num. of Port" and "Assigned address"
      fields filled with 0s. It may optionally include a maximum lease time
      value. When this DBAP request reaches the Host-NAT-Server, a global
      address, say U, is pulled from the address pool and assigned to A.
      The binding timer is started and Host-NAT-Server replies to host A
      with DBAP ASSIGN RESPONSE with "Lowest Port" and "Num. of Port"
      fields set to zero, and "Assigned Global Address" field set to U.
   2. Host A then computes the cryptographic algorithm using address of X
      as destination address and this assigned global address U as the
      source address. Before sending the packet out to the private network,
      host A encapsulates the packet with an internally addressed IP header
      and tunnel it to the Host-NAT-Server.
   3. When the packet reaches the Host-NAT-Server, it is decapsulated and
      routed in the external realm to X.

6.2 Inbound DNS Name Lookup Query with DNSSEC

   In this scenario, we say that an external entity X wishes to perform a
   name lookup for an internal host A. DNSSEC is applied to all DNS
   servers. These are the sequence of events.

   1. Host X does a DNS query to its local DNS server
   2. DNS of X.external.com queries the root DNS server
   3. Root DNS server replies with a referral to DNS server of the private
      network
   4. DNS server of X.external.com sends a query to DNS server of private
      network
   5. When the query reaches DNS server of private network, it does a
      lookup on "A.private.com" and find A's local address, say 10.0.0.1.
   6. DNS then obtains a global address for A using DBAP. It sends a DBAP
      ASSIGN REQUEST with "Lowest Port", "Num. of Port fields" and
      "Assigned Global Address" fields filled with 0s and a randomly
      generated BINDID. When this DBAP request reaches the Host-NAT-Server,
      a global address, say U, is pulled from the address pool and assigned
      to 10.0.0.1. The bind timer is started and Host-NAT-Server replies to
      DNS with DBAP ASSIGN RESPONSE with "Lowest Port" and "Num. of Port"
      fields set to zero, and "Assigned Global Address" field set to U.
      DNS of private network then encrypt U in DNS response payload and
      sends it back to DNS of X.external.com. The response traverse the


Jeffrey Lo, K.Taniguchi                                          [page 12]


Internet Draft  Host Network Address (and Port) Translation  November 1998


      Host-NAT-Server unchanged. No DNS-ALG [3] is required at the NAT.
   7. DNS of X.external.com replies Host X with address U assigned to Host
      A by NAT router.

7. Architectural Enhancement on Host-NAT-Server and Host-NAT-Client

   To be discussed in later drafts.

8. Impact on Application and Application Level Gateway

   To be discussed in later drafts.

9. Security Considerations

   To be discussed in later drafts.

10. Acknowledgement

   We wish to acknowledge Dr. Takeshi Nishida for his valuable comments
   that had been very helpful in the writing of this draft.

11. References

   [1] P. Srisuresh, Matt holdrege, "NAT : Terminology and Considerations"
       <draft-ietf-nat-terminology-01.txt>, Work-in-progress

   [2] P.Srisuresh, K. Egevang, "Traditional IP Network Address Translator"
       <draft-ietf-nat-traditional-01.txt>, Work-in-progress

   [3] P.Srisuresh, G.Tsirtsis, P.Akkiraju, A. Heffernan,
       "DNS extensions to Network Address Translators (DNS_ALG)"
       <draft-ietf-nat-dns-alg-01.txt>, Work-in-progress

   [4] M.Borella, David Grabelsky, Ikhlaq Shdhu, Brian Petry,
       "Distributed Network Address Translation"
       <draft-borella-aatn-dnat-01.txt>, Work-in-progress

   [5] P.Srisuresh, "IP Network Address Translator Application Programming
       Interface" <draft-ietf-nat-api-00.txt>, Work-in-progress

   [6] P.Srisuresh "Security for IP Network Address Translator (NAT)
       Domains" <draft-ietf-nat-security-00.txt>, Work-in-progress











Jeffrey Lo, K.Taniguchi                                          [page 13]


Internet Draft  Host Network Address (and Port) Translation  November 1998

12. Authors' Address

   Jeffrey Lo
   NEC USA, Inc.
   110 Rio Robles
   San Jose, California 95134
   Voice : (408) 943 3033
   Fax : (408) 943 3099
   Email : jlo@ccrl.sj.nec.com

   Kunihiro Taniguchi
   NEC USA, Inc.
   110 Rio Robles
   San Jose, California 95134
   Voice : (408) 943 3031
   Fax : (408) 943 3099
   Email : taniguti@ccrl.sj.nec.com






Jeffrey Lo, K.Taniguchi                                          [page 14]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/