[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04

Internet Engineering Task Force                             T. Tsou, Ed.
Internet-Draft                                 Huawei Technologies (USA)
Intended status: Informational                               T. Murakami
Expires: September 3, 2012                                   IP Infusion
                                                            S. Perreault
                                                                Viagenie
                                                           March 2, 2012


                Port Set Definition Algorithms Analysis
          draft-tsou-softwire-port-set-algorithms-analysis-00

Abstract

   This memo analyses the some port set definition algorithms which
   encodes port set infomation into IPv6 address so as to support
   stateless IPv4 to IPv6 transition technologies, e.g. 4rd-U and MAP.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 3, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as



Tsou, et al.            Expires September 3, 2012               [Page 1]


Internet-Draft        Port Set Algorithms Analysis            March 2012


   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Various types of algorithms  . . . . . . . . . . . . . . . . .  4
     3.1.  GMA style algorithms . . . . . . . . . . . . . . . . . . .  4
       3.1.1.  MAP  . . . . . . . . . . . . . . . . . . . . . . . . .  4
       3.1.2.  4rd-U  . . . . . . . . . . . . . . . . . . . . . . . .  6
       3.1.3.  divi-pd  . . . . . . . . . . . . . . . . . . . . . . .  7
       3.1.4.  Summary  . . . . . . . . . . . . . . . . . . . . . . .  8
     3.2.  Mask/Value style algorithms  . . . . . . . . . . . . . . .  8
     3.3.  Cryptographical style algorithms . . . . . . . . . . . . . 10
   4.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 12
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12





























Tsou, et al.            Expires September 3, 2012               [Page 2]


Internet-Draft        Port Set Algorithms Analysis            March 2012


1.  Introduction

   Some stateless IPv4 to IPv6 stransition technologies are invented by
   the industrial to provide IPv4 network service through IPv6 network,
   which also support IPv4 address sharing via port sets.  These
   technologies can significantly simplify the implementation of the
   border router and reduce resource requirement.

   In these solutions, a port set is assigned to each CPE, and can be
   calculated by a port set ID in conjunction with some other
   parameters; for any port number, the corresponding port set ID can
   also be derived, that means, the mapping algorithm must be
   reversible.  When the CPE needs to send an IPv4 packet, it can map an
   IPv4 packet into an IPv6 packet, either by translation or
   encapsulation, the IPv4 address and port set ID will be embedded into
   an IPv6 address; when the BR receive the IPv6 packet, it will
   decapsulate it.  When the BR need to forward an IPv4 packet to the
   CPE, it will first derive the port set ID from the port, and then map
   the IPv4 packet into an IPv6 packet.

   In order to support these technologies, some port set definition
   algorithms are worked out.  It may be useful to analyse the
   characteristics of these algorithms for better understanding and to
   choose a proper algorithm for different needs.

   A good port set definition algorithm must be reversible, easy to
   implement, and should be able to define non-continuous or random port
   sets for better security, be able to exclude the well known ports, 0
   ~ 1023 or 0 ~ 4095, etc.

   This memo will analyse the following characterics:

   o  Port set type: continuous, non-continuous, random

   o  Stateless: yes or no

   o  Security: security level, continuous port set provide common
      security, random port set provide good security.

   o  Implementation: implementation complexity, performance, etc.

   o  Friendliness for NAT44: comply with NAT44 or not

   o  Sharing ratio: maximum, minimum sharing ratio

   o  Revert calculation from port number to PSID at BR.





Tsou, et al.            Expires September 3, 2012               [Page 3]


Internet-Draft        Port Set Algorithms Analysis            March 2012


   o  Exclude well known ports


2.  Terminology

   BR:       Border Router.

   CPE:      Customer Premise Equipment.

   GMA:      Generalized Modulus Algorithm.

   MAP:      Map Address and Port.

   PSID:     Port Set ID, one of the key parameters used to derived a
             set of ports.


3.  Various types of algorithms

   Currently, the port set definition algorithms can be classified into
   three categories: GMA style, Mask/Value style and cryptographical
   style.

3.1.  GMA style algorithms

   Currently there are three sets of draft support GMA style algorithm:
   MAP [I-D.mdt-softwire-mapping-address-and-port], 4rd-U
   [I-D.despres-softwire-4rd-u] and divi-pd [I-D.xli-behave-divi-pd],
   but they are not exactly all the same.

3.1.1.  MAP

   In MAP [I-D.mdt-softwire-mapping-address-and-port], a port set can be
   defined by the following parameters:

      R: sharing ratio;

      P: PSID;

      M: maximum number of contiguous ports.

   To derive a port port from the port set, the following equation can
   be used:

   Port = R * M * j + M * P + i

   j is port range index: j = (4096 / M) / R to ((65536 / M) / R) - 1,
   if the port numbers (0 - 4095) are excluded.



Tsou, et al.            Expires September 3, 2012               [Page 4]


Internet-Draft        Port Set Algorithms Analysis            March 2012


   i is the port index in a sub port set, i = 0 to M-1;

   To derive the PSID from a given port:

   PSID = (floor(Port/M)) % R, where % is the modulus operator.

   Parameter M is to generate non-continuous ports sets, rather than a
   single continuous port set, which brings better sercurity.  If M=1, a
   single continuous port set is defined.

   PSID will be encoded in the IPv6 address, as shown in Figure 1 and
   Figure 2.

          0                          8                         15
          +---------------+----------+------+-------------------+
          |                     P                               |
          ----------------+-----------------+-------------------+
          |        A (j)  |   PSID (K)      |        M  (i)     |
          +---------------+----------+------+-------------------+
          |<----a bits--->|<-----k bits---->|<------m bits----->|

                       Figure 1: Bit representation


    |        32 bits           |         |    16 bits        |
    +--------------------------+         +-------------------+
    | IPv4 destination address |         |  IPv4 dest port   |
    +--------------------------+         +-------------------+
                    :          :           ___/       :
                    | p bits   |          /  q bits   :
                    +----------+         +------------+
                    |IPv4  sufx|         |Port-Set ID |
                    +----------+         +------------+
                    \          /    ____/    ________/
                      \       :  __/   _____/
                        \     : /     /
    |     n bits         |  o bits   | m bits  |   128-n-o-m bits      |
    +--------------------+-----------+---------+------------+----------+
    |  Rule IPv6 prefix  |  EA bits  |subnet ID|     interface ID      |
    +--------------------+-----------+---------+-----------------------+
    |<---  End-user IPv6 prefix  --->|

                  Figure 2: Deriving of MAP IPv6 address








Tsou, et al.            Expires September 3, 2012               [Page 5]


Internet-Draft        Port Set Algorithms Analysis            March 2012


3.1.2.  4rd-U

   In 4rd-U [I-D.despres-softwire-4rd-u], PSID is the only parameter
   necessary for defining a port set, as shown in Figure 4.

   To derive the PSID from a given port, it only needs to take out the
   PSID bits from the 16bit port number.

    +----------------------------+--------------+
    |         IPv4 address       |Port bits 4-15|
    +----------------------------+----+---------+
    : Longest match              :    :
    :      ||                    :    :
    :      \/                    :<-->: PSID length = L(RuleIPv4 prefix)
    +----------------+-----------+----+               + EA-bits length
    |Rule IPv4 prefix|IPv4 suffix|PSID|                    - 32
    +----------------+-----------+----+
    :                :           :    :
    +----------------+----------------+
    |Rule IPv4 prefix|     EA bits    |
    +----------------+----------------+
           ||         \_______         \__
           \/                 \           \
    +--------------------------+-----------+---+
    |    Rule IPv6 prefix      |  EA bits  | . |
    +--------------------------+-----------+--\+
    :                                          \_Domain IPv6 suffix
    :                                          :  (if applicable)
    +------------------------------------------+
    |                 IPv6 prefix              |
    +------------------------------------------+

      Figure 3: From 4rd address to IPv6 prefix (shared-address case)


                            +-------+
                            |  PSID |  12 - PSID-length
                            +-------+      |
                    :   4   :       :<-----'----->:
                    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                    |  > 0  |  PSID |  any value  |
                    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 4: Port in the port set







Tsou, et al.            Expires September 3, 2012               [Page 6]


Internet-Draft        Port Set Algorithms Analysis            March 2012


3.1.3.  divi-pd

   divi-pd [I-D.xli-behave-divi-pd] use the same port set definition
   algorithm as MAP [I-D.mdt-softwire-mapping-address-and-port], with
   only little difference: divi-pd excludes port 0 ~ 1023, while MAP
   excludes port 0 ~ 4095.

    |     n bits         |  o bits   | m bits  |   128-n-o-m bits      |
    +--------------------+-----------+---------+------------+----------+
    | Domain IPv6 prefix |  EA bits  |subnet ID|     interface ID      |
    +--------------------+-----------+---------+-----------------------+
    |<---  End-user IPv6 prefix  --->|

                       Figure 5: IPv6 address format


                           |<------------- EA bits----------->|
             |   r bits    |        p bits       |   q bits   |
             +-------------+---------------------+------------+
             | Domain IPv4 | IPv4 Address suffix |Port Set ID |
             +-------------+---------------------+------------+
             |            32 bits                |

                       Figure 6: Shared IPv4 address


                  <-8-><-------- L>=32 -------><48-L><8->
                  +---+----------------+------+-----+---+
                  | u |  IPv4 address  | PSID |  0  | L |
                  +---+----------------+------+-----+---+

                          Figure 7: Interface ID



















Tsou, et al.            Expires September 3, 2012               [Page 7]


Internet-Draft        Port Set Algorithms Analysis            March 2012


3.1.4.  Summary

         -------------------------------+-------------------------
           Port set type                |  no-continuous
         -------------------------------+-------------------------
           Stateless                    |  yes
         -------------------------------+-------------------------
           Security                     |  good *1
         -------------------------------+-------------------------
           Implementation               |  easy
         -------------------------------+-------------------------
           Friendliness for NAT44       |  yes
         -------------------------------+-------------------------
           Sharing ratio                |  up to 2^12
         -------------------------------+-------------------------
           Revert calculation from      |
           port number to PSID at BR    |  yes
         -------------------------------+-------------------------
           Exclude well known ports     |  yes, 0~1023 or 0~4095
         -------------------------------+-------------------------

   *1 MAP and divi-pd provide better security than 4rd-U, because they
   provide more variation in port set definition.

   *2 MAP and divi-pd support sharing ratio up to 2^16, although it may
   not be necessary.

3.2.  Mask/Value style algorithms

   [RFC6431] defines an IPCP option to allocate port set to CPEs, as
   shown in Figure 8.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |M|          Reserved           |      Port Range Value         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Port Range Mask          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 8: IPCP option format

   The Port Range Value can be encoded in IPv6 address, similar as
   parameter PSID in other technologies, e.g.  MAP
   [I-D.mdt-softwire-mapping-address-and-port].

   To derive the Port Range Value from a given port, the port number
   should porform bit-and operation with the Port Range Mask.



Tsou, et al.            Expires September 3, 2012               [Page 8]


Internet-Draft        Port Set Algorithms Analysis            March 2012


       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             |   |
             |   | (two significant bits)
             v   v
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |x x x 0 x 1 x x x x x x x x x x| Usable ports
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      (x may be set to 0 or 1)

         Figure 9: Example of Port Range Mask and Port Range Value

   This alogrithm can have some kind of randomization effect by setting
   different number of bits and bits at different location in the Port
   Range Mask.

   This algorithm may have a problem if the well known ports(0~1023 or
   0~4096) need to be excluded, it is a bit difficult to achieve that.
   But if the operator do not have a specific usage for the well known
   ports, then it is OK to allocate those port to end users, just like
   other common ports.  Some tests have done and prove that is OK.

        -------------------------------+----------------------------
          Port set type                |  continuous, no-continuous
        -------------------------------+----------------------------
          Stateless                    |  yes
        -------------------------------+----------------------------
          Security                     |  good
        -------------------------------+----------------------------
          Implementation               |  easy
        -------------------------------+----------------------------
          Friendliness for NAT44       |  yes
        -------------------------------+----------------------------
          Sharing ratio                |  up to 2^16
        -------------------------------+----------------------------
          Revert calculation from      |
          port number to PSID at BR    |  yes
        -------------------------------+----------------------------
          Exclude well known ports     |  difficult
        -------------------------------+----------------------------





Tsou, et al.            Expires September 3, 2012               [Page 9]


Internet-Draft        Port Set Algorithms Analysis            March 2012


3.3.  Cryptographical style algorithms

   The cryptographical port set definition algorithm introduced in
   [RFC6431] can provide very good security, but it is very difficult to
   derive the port set infomation, e.g. the starting point, from a given
   port.  This algorithm can only be used in stateful scenarios, the BR
   must be operated in stateful mode.

   In order to use this kind of algorithm in a stateless scenario, the
   algoritm must be reversible, that is, with some given information, it
   should be able to derive the port set information from a given port
   number.

      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |M|          Reserved           |          function             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |        starting point         |   number of delegated ports   |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                             key K                           ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ...                                                           ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ...                                                           ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ...                                                             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    Figure 10: Format of the Cryptographically Random Port Range Option


        -------------------------------+----------------------------
          Port set type                |  continuous, no-continuous
        -------------------------------+----------------------------
          Stateless                    |  No *
        -------------------------------+----------------------------
          Security                     |  Very good
        -------------------------------+----------------------------
          Implementation               |  difficult
        -------------------------------+----------------------------
          Friendliness for NAT44       |  yes
        -------------------------------+----------------------------
          Sharing ratio                |  up to 2^16
        -------------------------------+----------------------------
          Revert calculation from      |
          port number to PSID at BR    |  No *
        -------------------------------+----------------------------
          Exclude well known ports     |  difficult



Tsou, et al.            Expires September 3, 2012              [Page 10]


Internet-Draft        Port Set Algorithms Analysis            March 2012


        -------------------------------+----------------------------

   * It may be possible to find a cryptographic algorithm which can be
   reversed, e.g. define a reversible one-to-one mapping algorithm.  But
   that is out the scope of this memo.  If strong security is required,
   it may be worth giving this topic further study.


4.  Conclusion

   TBD.


5.  IANA Considerations

   This memo includes no request to IANA.


6.  Security Considerations

   The port set should be as random as possible, in order to make it
   difficult to predict what the next port will be used, to avoid some
   potential TCP attack [RFC6056].


7.  References

7.1.  Normative References

   [I-D.despres-softwire-4rd-u]
              Despres, R., "IPv4 Residual Deployment via IPv6 - Unified
              Solution (4rd-U)", Jan 2012.

   [I-D.mdt-softwire-mapping-address-and-port]
              Troan, O., Matsushima, S., Murakami, T., Li, X., and C.
              Bao, "Mapping of Address and Port (MAP)", Jan 2012.

   [I-D.xli-behave-divi-pd]
              Li, X., Bao, C., Dec, W., and R. Asati, "dIVI-pd: Dual-
              Stateless IPv4/IPv6 Translation with Prefix Delegation",
              July 2011.

   [RFC6056]  Larsen, M. and F. Gont, "Recommendations for Transport-
              Protocol Port Randomization", BCP 156, RFC 6056,
              January 2011.

   [RFC6431]  Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and
              T. Tsou, "Huawei Port Range Configuration Options for PPP



Tsou, et al.            Expires September 3, 2012              [Page 11]


Internet-Draft        Port Set Algorithms Analysis            March 2012


              IP Control Protocol (IPCP)", RFC 6431, November 2011.

7.2.  Informative References

   [I-D.bsd-softwire-stateless-port-index-analysis]
              Boucadair, M., Skoberne, N., and W. Dec, "Analysis of Port
              Indexing Algorithms", Sept 2011.


Authors' Addresses

   Tina Tsou (editor)
   Huawei Technologies (USA)
   2330 Central Expressway
   Santa Clara  CA  95050
   USA

   Phone: +1 408 330 4424
   Email: tina.tsou.zouting@huawei.com


   Tetsuya Murakami
   IP Infusion
   1188 East Arques Avenue
   Sunnyval
   USA

   Email: tetsuya@ipinfusion.com


   Simon Perreault
   Viagenie
   246 Aberdeen
   Quebec, QC  G1R 2E1
   Canada

   Phone: +1 418 656 9254
   Email: simon.perreault@viagenie.ca
   URI:   http://viagenie.ca












Tsou, et al.            Expires September 3, 2012              [Page 12]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/