[Docs] [txt|pdf|xml] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04

Internet Engineering Task Force                             T. Tsou, Ed.
Internet-Draft                                 Huawei Technologies (USA)
Intended status: Informational                               T. Murakami
Expires: September 15, 2013                                  IP Infusion
                                                            S. Perreault
                                                                Viagenie
                                                          March 14, 2013


                Port Set Definition Algorithms Analysis
          draft-tsou-softwire-port-set-algorithms-analysis-03

Abstract

   This memo analyses the some port set definition algorithms which
   encodes port set infomation into IPv6 address so as to support
   stateless IPv4 to IPv6 transition technologies, e.g. 4rd-U and MAP.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 15, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as



Tsou, et al.           Expires September 15, 2013               [Page 1]


Internet-Draft        Port Set Algorithms Analysis            March 2013


   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Various types of algorithms  . . . . . . . . . . . . . . . . .  4
     3.1.  GMA style algorithms . . . . . . . . . . . . . . . . . . .  4
       3.1.1.  MAP  . . . . . . . . . . . . . . . . . . . . . . . . .  4
       3.1.2.  4rd-U  . . . . . . . . . . . . . . . . . . . . . . . .  6
       3.1.3.  Summary  . . . . . . . . . . . . . . . . . . . . . . .  7
     3.2.  Mask/Value style algorithms  . . . . . . . . . . . . . . .  7
     3.3.  Cryptographical style algorithms . . . . . . . . . . . . .  9
   4.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 10
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11






























Tsou, et al.           Expires September 15, 2013               [Page 2]


Internet-Draft        Port Set Algorithms Analysis            March 2013


1.  Introduction

   Some stateless IPv4 to IPv6 stransition technologies are invented by
   the industrial to provide IPv4 network service through IPv6 network,
   which also support IPv4 address sharing via port sets.  These
   technologies can significantly simplify the implementation of the
   border router and reduce resource requirement.

   In these solutions, a port set is assigned to each CPE, and can be
   calculated by a port set ID in conjunction with some other
   parameters; for any port number, the corresponding port set ID can
   also be derived, that means, the mapping algorithm must be
   reversible.  When the CPE needs to send an IPv4 packet, it can map an
   IPv4 packet into an IPv6 packet, either by translation or
   encapsulation, the IPv4 address and port set ID will be embedded into
   an IPv6 address; when the BR receive the IPv6 packet, it will
   decapsulate it.  When the BR need to forward an IPv4 packet to the
   CPE, it will first derive the port set ID from the port, and then map
   the IPv4 packet into an IPv6 packet.

   In order to support these technologies, some port set definition
   algorithms are worked out.  It may be useful to analyse the
   characteristics of these algorithms for better understanding and to
   choose a proper algorithm for different needs.

   A good port set definition algorithm must be reversible, easy to
   implement, and should be able to define non-continuous or random port
   sets for better security, be able to exclude the well known ports, 0
   ~ 1023 or 0 ~ 4095, etc.

   This memo will analyse the following characterics:

   o  Port set type: continuous, non-continuous, random

   o  Stateless: yes or no

   o  Security: security level, continuous port set provides common
      security, random port set provides good security.

   o  Implementation: implementation complexity, performance, etc.

   o  Friendliness for NAT44: comply with NAT44 or not

   o  Sharing ratio: maximum, minimum sharing ratio

   o  Revert calculation from port number to PSID at BR.





Tsou, et al.           Expires September 15, 2013               [Page 3]


Internet-Draft        Port Set Algorithms Analysis            March 2013


   o  Exclude well known ports


2.  Terminology

   BR:       Border Router.

   CPE:      Customer Premise Equipment.

   GMA:      Generalized Modulus Algorithm.

   MAP:      Map Address and Port.

   PSID:     Port Set ID, one of the key parameters used to derived a
             set of ports.


3.  Various types of algorithms

   Currently, the port set definition algorithms can be classified into
   three categories: GMA style, Mask/Value style and cryptographical
   style.

3.1.  GMA style algorithms

   Currently there are three sets of draft support GMA style algorithm:
   MAP [I-D.ietf-softwire-map-04], 4rd-U [I-D.ietf-softwire-4rd-04] and,
   but they are not exactly all the same.

3.1.1.  MAP

   In MAP [I-D.ietf-softwire-map-04], a port set can be defined by the
   following parameters:

      R: sharing ratio;

      P: PSID;

      M: maximum number of contiguous ports.

   To derive a port from the port set, the following equation can be
   used:

   Port = R * M * j + M * P + i

   j is port range index: j = (4096 / M) / R to ((65536 / M) / R) - 1,
   if the port numbers (0 - 4095) are excluded.




Tsou, et al.           Expires September 15, 2013               [Page 4]


Internet-Draft        Port Set Algorithms Analysis            March 2013


   i is the port index in a sub port set, i = 0 to M-1;

   To derive the PSID from a given port:

   PSID = (floor(Port/M)) % R, where % is the modulus operator.

   Parameter M is to generate non-continuous ports sets, rather than a
   single continuous port set, which brings better sercurity.  If M=1, a
   single continuous port set is defined.

   PSID will be encoded in the IPv6 address, as shown in Figure 1 and
   Figure 2.

          0                          8                         15
          +---------------+----------+------+-------------------+
          |                     P                               |
          ----------------+-----------------+-------------------+
          |        A (j)  |   PSID (K)      |        M  (i)     |
          +---------------+----------+------+-------------------+
          |<----a bits--->|<-----k bits---->|<------m bits----->|

                       Figure 1: Bit representation


    |        32 bits           |         |    16 bits        |
    +--------------------------+         +-------------------+
    | IPv4 destination address |         |  IPv4 dest port   |
    +--------------------------+         +-------------------+
                    :          :           ___/       :
                    | p bits   |          /  q bits   :
                    +----------+         +------------+
                    |IPv4  sufx|         |Port-Set ID |
                    +----------+         +------------+
                    \          /    ____/    ________/
                      \       :  __/   _____/
                        \     : /     /
    |     n bits         |  o bits   | m bits  |   128-n-o-m bits      |
    +--------------------+-----------+---------+------------+----------+
    |  Rule IPv6 prefix  |  EA bits  |subnet ID|     interface ID      |
    +--------------------+-----------+---------+-----------------------+
    |<---  End-user IPv6 prefix  --->|

                  Figure 2: Deriving of MAP IPv6 address








Tsou, et al.           Expires September 15, 2013               [Page 5]


Internet-Draft        Port Set Algorithms Analysis            March 2013


3.1.2.  4rd-U

   In 4rd-U [I-D.ietf-softwire-4rd-04], PSID itself is sufficient for
   defining a port set, as shown in Figure 3.

   To derive the PSID from a given port, it only needs to take out the
   PSID bits from the 16bit port number.

      +--------------------------------------------+
      |                CE IPv6 prefix              |
      +--------------------------+-----------------+
      :     Longest match        :                 :
      :  with a Rule IPv6 prefix :                 :
      :           ||             :                 :
      :           \/             : EA-bits length  :
      +--------------------------+     |           :
      |    Rule IPv6 prefix      |<----'---->:<-.->:
      +--------------------------+           :   \
                    ||           :           :  Length of the
                    \/           :           : Rule IPv6 suffix
               +-----------------+-----------+(if the rule has one)
               |Rule IPv4 prefix |  EA bits  |
               +-----------------+-----------+
               :                             :
               +-----------------------------+
               |     CE 4rd IPv4 prefix      |
               +-----------------------------+
      ________/ \_________                   :
     /                    \                  :
    :                  ____:________________/ \__
    :                 /    :                     \
    :    =< 32       :     :          > 32        :
    +----------------+     +-----------------+----+
    |IPv4 prfx or add|  OR |   IPv4 address  |PSID|
    +----------------+     +-----------------+----+
                           :       32        : || :
                                               \/
                       (by default)          (If WKPs authorized)
                         :    :                     :    :
                     +---+----+---------+           +----+-------------+
       Ports in      |> 0|PSID|any value|    OR     |PSID|  any value  |
    the CE port set  +---+----+---------+           +----+-------------+
                     : 4 :     12       :           :        16        :

      Figure 3: From CE IPv6 prefix to 4rd IPv4 address and Port set






Tsou, et al.           Expires September 15, 2013               [Page 6]


Internet-Draft        Port Set Algorithms Analysis            March 2013


3.1.3.  Summary

         -------------------------------+-------------------------
           Port set type                |  no-continuous
         -------------------------------+-------------------------
           Stateless                    |  yes
         -------------------------------+-------------------------
           Security                     |  good
         -------------------------------+-------------------------
           Implementation               |  easy
         -------------------------------+-------------------------
           Friendliness for NAT44       |  yes
         -------------------------------+-------------------------
           Sharing ratio                |  up to 2^12
         -------------------------------+-------------------------
           Revert calculation from      |
           port number to PSID at BR    |  yes
         -------------------------------+-------------------------
           Exclude well known ports     |  yes, 0~1023 or 0~4095
         -------------------------------+-------------------------

   1. 4rd-U is a parameter-free algorithm, which is different MAP; while
   MAP can provide more variation due to the extra parameter(s).  From
   the port set definition point of view, MAP and 4rd-U provide the same
   level of security.

   2.  MAP support sharing ratio up to 2^16, although it may not be
   necessary.

3.2.  Mask/Value style algorithms

   [RFC6431] defines an IPCP option to allocate port set to CPEs, as
   shown in Figure 4.

   [I-D.b4-translated-ds-lite-09] also uses tis type of port set
   definition algorithm defined in [I-D.dhc-port-set-option-00].

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |M|          Reserved           |      Port Range Value         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Port Range Mask          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 4: IPCP option format





Tsou, et al.           Expires September 15, 2013               [Page 7]


Internet-Draft        Port Set Algorithms Analysis            March 2013


              0                             1
              0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |   OPTION_PORT_SET     |     option-length     |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                Port Set Index                 |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
             |                Port Set Mask                  |
             +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

                   Figure 5: DHCP port set option format

   The Port Range Value can be encoded in IPv6 address, similar as
   parameter PSID in other technologies, e.g.  MAP
   [I-D.ietf-softwire-map-04].

   To derive the Port Range Value from a given port, the port number
   should porform bit-and operation with the Port Range Mask.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             |   |
             |   | (two significant bits)
             v   v
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |x x x 0 x 1 x x x x x x x x x x| Usable ports
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+      (x may be set to 0 or 1)

         Figure 6: Example of Port Range Mask and Port Range Value

   This alogrithm can have some kind of randomization effect by setting
   different number of bits and bits at different location in the Port
   Range Mask.

   This algorithm may have a problem if the well known ports(0~1023 or
   0~4096) need to be excluded, it is a bit difficult to achieve that.
   But if the operator do not have a specific usage for the well known
   ports, then it is OK to allocate those port to end users, just like
   other common ports.  Some tests have done and prove that is OK.





Tsou, et al.           Expires September 15, 2013               [Page 8]


Internet-Draft        Port Set Algorithms Analysis            March 2013


        -------------------------------+----------------------------
          Port set type                |  continuous, no-continuous
        -------------------------------+----------------------------
          Stateless                    |  yes
        -------------------------------+----------------------------
          Security                     |  good
        -------------------------------+----------------------------
          Implementation               |  easy
        -------------------------------+----------------------------
          Friendliness for NAT44       |  yes
        -------------------------------+----------------------------
          Sharing ratio                |  up to 2^16
        -------------------------------+----------------------------
          Revert calculation from      |
          port number to PSID at BR    |  yes
        -------------------------------+----------------------------
          Exclude well known ports     |  difficult
        -------------------------------+----------------------------

3.3.  Cryptographical style algorithms

   The cryptographical port set definition algorithm introduced in
   [RFC6431] can provide very good security, but it is very difficult to
   derive the port set infomation, e.g. the starting point, from a given
   port.  This algorithm can only be used in stateful scenarios, the BR
   must be operated in stateful mode.

   In order to use this kind of algorithm in a stateless scenario, the
   algorithm must be reversible, that is, with some given information,
   it should be able to derive the port set information from a given
   port number.

      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |M|          Reserved           |          function             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |        starting point         |   number of delegated ports   |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                             key K                           ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ...                                                           ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ...                                                           ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ...                                                             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    Figure 7: Format of the Cryptographically Random Port Range Option



Tsou, et al.           Expires September 15, 2013               [Page 9]


Internet-Draft        Port Set Algorithms Analysis            March 2013


        -------------------------------+----------------------------
          Port set type                |  continuous, no-continuous
        -------------------------------+----------------------------
          Stateless                    |  No *
        -------------------------------+----------------------------
          Security                     |  Very good
        -------------------------------+----------------------------
          Implementation               |  difficult
        -------------------------------+----------------------------
          Friendliness for NAT44       |  yes
        -------------------------------+----------------------------
          Sharing ratio                |  up to 2^16
        -------------------------------+----------------------------
          Revert calculation from      |
          port number to PSID at BR    |  No *
        -------------------------------+----------------------------
          Exclude well known ports     |  difficult
        -------------------------------+----------------------------

   * It may be possible to find a cryptographic algorithm which can be
   reversed, e.g. define a reversible one-to-one mapping algorithm.  But
   that is out the scope of this memo.  If strong security is required,
   it may be worth giving this topic further study.


4.  Conclusion

   GMA and value/mask methods are easy to implement and can provide
   reasonable security.  If high security is desired, cryptographically
   random port set can be considered.


5.  IANA Considerations

   This memo includes no request to IANA.


6.  Security Considerations

   The port set should be as random as possible, in order to make it
   difficult to predict what the next port will be used, to avoid some
   potential TCP attack [RFC6056].


7.  References






Tsou, et al.           Expires September 15, 2013              [Page 10]


Internet-Draft        Port Set Algorithms Analysis            March 2013


7.1.  Normative References

   [I-D.dhc-port-set-option-00]
              Sun, Q., Li, Y., Sun, Q., Bajko, G., and M. Boucadair,
              "Dynamic Host Configuration Protocol (DHCP) Option for
              Port Set  Assignment (Work in progress)", Oct 2012.

   [I-D.ietf-softwire-4rd-04]
              Jiang, S., Despres, R., Penno, R., Lee, Y., Chen, G., and
              M. Chen, "IPv4 Residual Deployment via IPv6 - a unified
              Stateless  Solution (4rd) (Work in progress)", Oct 2012.

   [I-D.ietf-softwire-map-04]
              Troan, O., Dec, W., Li, X., Bao, C., Matsushima, S., and
              T. Murakami, "Mapping of Address and Port (MAP) (Work in
              progress)", Feb 2013.

   [RFC6056]  Larsen, M. and F. Gont, "Recommendations for Transport-
              Protocol Port Randomization", BCP 156, RFC 6056,
              January 2011.

   [RFC6431]  Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and
              T. Tsou, "Huawei Port Range Configuration Options for PPP
              IP Control Protocol (IPCP)", RFC 6431, November 2011.

7.2.  Informative References

   [I-D.b4-translated-ds-lite-09]
              Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Li, Y., and I.
              Farrer, "Mapping of Address and Port (MAP) (Work in
              progress)", Oct 2012.

   [I-D.bsd-softwire-stateless-port-index-analysis]
              Boucadair, M., Skoberne, N., and W. Dec, "Analysis of Port
              Indexing Algorithms", Sept 2011.


Authors' Addresses

   Tina Tsou (editor)
   Huawei Technologies (USA)
   2330 Central Expressway
   Santa Clara  CA  95050
   USA

   Phone: +1 408 330 4424
   Email: tina.tsou.zouting@huawei.com




Tsou, et al.           Expires September 15, 2013              [Page 11]


Internet-Draft        Port Set Algorithms Analysis            March 2013


   Tetsuya Murakami
   IP Infusion
   1188 East Arques Avenue
   Sunnyval
   USA

   Email: tetsuya@ipinfusion.com


   Simon Perreault
   Viagenie
   246 Aberdeen
   Quebec, QC  G1R 2E1
   Canada

   Phone: +1 418 656 9254
   Email: simon.perreault@viagenie.ca
   URI:   http://viagenie.ca

































Tsou, et al.           Expires September 15, 2013              [Page 12]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/