draft-ietf-radext-ip-port-radius-ext-00.txt | draft-ietf-radext-ip-port-radius-ext-01.txt | |||
---|---|---|---|---|
Network Working Group D. Cheng | Network Working Group D. Cheng | |||
Internet-Draft Huawei | Internet-Draft Huawei | |||
Intended status: Standards Track J. Korhonen | Intended status: Standards Track J. Korhonen | |||
Expires: November 11, 2014 Broadcom | Expires: December 14, 2014 Broadcom | |||
M. Boucadair | M. Boucadair | |||
France Telecom | France Telecom | |||
S. Sivakumar | S. Sivakumar | |||
Cisco Systems | Cisco Systems | |||
May 10, 2014 | June 12, 2014 | |||
RADIUS Extensions for IP Port Configuration and Reporting | RADIUS Extensions for IP Port Configuration and Reporting | |||
draft-ietf-radext-ip-port-radius-ext-00 | draft-ietf-radext-ip-port-radius-ext-01 | |||
Abstract | Abstract | |||
This document defines three new RADIUS attributes. For device that | This document defines three new RADIUS attributes. For devices that | |||
implementing IP port ranges, these attributes are used to communicate | implementing IP port ranges, these attributes are used to communicate | |||
with a RADIUS server in order to configure and report TCP/UDP ports | with a RADIUS server in order to configure and report TCP/UDP ports | |||
and ICMP identifiers, as well as mapping behavior for specific hosts. | and ICMP identifiers, as well as mapping behavior for specific hosts. | |||
This mechanism can be used in various deployment scenarios such as | This mechanism can be used in various deployment scenarios such as | |||
CGN, NAT64, Provider WiFi Gateway, etc. | CGN (Carrier Grade NAT), NAT64, Provider WLAN Gateway, etc. | |||
This document does not make any assumption about the deployment | This document does not make any assumption about the deployment | |||
context. | context. | |||
Requirements Language | Requirements Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
skipping to change at page 1, line 49 | skipping to change at page 1, line 49 | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on November 11, 2014. | This Internet-Draft will expire on December 14, 2014. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
3. RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 | |||
3.1. Extended-Type for IP-Port-Type . . . . . . . . . . . . . 5 | 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 | |||
3.2. IP-Port-Limit Attribute . . . . . . . . . . . . . . . . . 7 | 3.1.1. Extended-Type and IP-Port-Type TLV . . . . . . . . . 6 | |||
3.3. IP-Port-Range Attribute . . . . . . . . . . . . . . . . . 8 | 3.1.2. IP-Port-Limit Attribute . . . . . . . . . . . . . . . 7 | |||
3.4. IP-Port-Forwarding-Map Attribute . . . . . . . . . . . . 10 | 3.1.3. IP-Port-Range Attribute . . . . . . . . . . . . . . . 9 | |||
4. Applications, Use Cases and Examples . . . . . . . . . . . . 12 | 3.1.4. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 12 | |||
4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 12 | 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 14 | |||
4.1.1. Configure IP Port Limit for a User . . . . . . . . . 13 | 3.2.1. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 14 | |||
4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 15 | 3.2.2. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 | |||
4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 16 | 3.2.3. IP-Port-Int-IP-Addr TLV . . . . . . . . . . . . . . . 16 | |||
4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 18 | 3.2.4. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 17 | |||
4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 19 | 3.2.5. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 17 | |||
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 20 | 3.2.6. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 18 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 3.2.7. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 19 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | 3.2.8. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 20 | |||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | 3.2.9. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 20 | |||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 4. Applications, Use Cases and Examples . . . . . . . . . . . . 21 | |||
9.1. Normative References . . . . . . . . . . . . . . . . . . 22 | 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 21 | |||
9.2. Informative References . . . . . . . . . . . . . . . . . 22 | 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 22 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | 4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 24 | |||
4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 25 | ||||
4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 27 | ||||
4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 28 | ||||
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 29 | ||||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | ||||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | ||||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 | ||||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 | ||||
9.1. Normative References . . . . . . . . . . . . . . . . . . 31 | ||||
9.2. Informative References . . . . . . . . . . . . . . . . . 32 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | ||||
1. Introduction | 1. Introduction | |||
In a broadband network, customer information is usually stored on a | In a broadband network, customer information is usually stored on a | |||
RADIUS server [RFC2865] and at the time when a user initiates an IP | RADIUS server [RFC2865] and at the time when a user initiates an IP | |||
connection request, the RADIUS server will populate the user's | connection request, the RADIUS server will populate the user's | |||
configuration information to the Network Access Server (NAS), which | configuration information to the Network Access Server (NAS), which | |||
is usually co-located with the Border Network Gateway (BNG), after | is usually co-located with the Border Network Gateway (BNG), after | |||
the connection request is granted. The Carrier Grade NAT (CGN) | the connection request is granted. The Carrier Grade NAT (CGN) | |||
function may also be implemented on the BNG, and therefore CGN TCP/ | function may also be implemented on the BNG, and therefore CGN TCP/ | |||
skipping to change at page 3, line 16 | skipping to change at page 3, line 27 | |||
the RADIUS server as part of the user profile, and populated to the | the RADIUS server as part of the user profile, and populated to the | |||
NAS in the same manner. In addition, during the operation, the CGN | NAS in the same manner. In addition, during the operation, the CGN | |||
can also convey port/identifier mapping behavior specific to a user | can also convey port/identifier mapping behavior specific to a user | |||
to the RADIUS server, as part of the normal RADIUS accounting | to the RADIUS server, as part of the normal RADIUS accounting | |||
process. | process. | |||
The CGN device that communicates with a RADIUS server using RADIUS | The CGN device that communicates with a RADIUS server using RADIUS | |||
extensions defined in this document may perform NAT44 [RFC3022], | extensions defined in this document may perform NAT44 [RFC3022], | |||
NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function. | NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function. | |||
For the CGN example, when IP packets traverse a CGN, it would perform | For the CGN case, when IP packets traverse a CGN device, it would | |||
TCP/UDP source port mapping or ICMP identifier mapping as required. | perform TCP/UDP source port mapping or ICMP identifier mapping as | |||
A TCP/ UDP source port or ICMP identifier, along with source IP | required. A TCP/ UDP source port or ICMP identifier, along with | |||
address, destination IP address, destination port and protocol | source IP address, destination IP address, destination port and | |||
identifier if applicable, uniquely identify a session. Since the | protocol identifier if applicable, uniquely identify a session. | |||
number space of TCP/UDP ports and ICMP identifiers in CGN's external | Since the number space of TCP/UDP ports and ICMP identifiers in CGN's | |||
realm is shared among multiple users assigned with the same IPv4 | external realm is shared among multiple users assigned with the same | |||
address, the total number of a user's simultaneous IP sessions is | IPv4 address, the total number of a user's simultaneous IP sessions | |||
likely to subject to port quota. | is likely to be subject to port quota (see Section 5 of [RFC6269]). | |||
The attributes defined in this document may also be used to report | The attributes defined in this document may also be used to report | |||
the assigned port set in some deployment such as Provider Wi-Fi | the assigned port range in some deployments such as Provider WLAN | |||
[I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting | [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting | |||
host can be managed by a CPE which will need to report the assigned | host can be managed by a CPE (Customer Premises Equipment ) which | |||
port set to the service platform. This is required for | will need to report the assigned port range to the service platform. | |||
identification purposes (see WT-146 for example). | This is required for identification purposes (see WT-146 for | |||
example). | ||||
This document proposes three new attributes as RADIUS protocol's | This document proposes three new attributes as RADIUS protocol's | |||
extensions, and they are used for separate purposes as follows: | extensions, and they are used for separate purposes as follows: | |||
o IP-Port-Limit:This attribute may be carried in RDIUS Acces-Accept, | 1. IP-Port-Limit: This attribute may be carried in RADIUS Acces- | |||
Accounting-Request or CoA-Request packet. The purpose of this | Accept, Access-Request, Accounting-Request or CoA-Request packet. | |||
attribute is to limit the total number of TCP/UDP ports and/or | The purpose of this attribute is to limit the total number of | |||
ICMP identifiers that an IP subscriber can use.. | TCP/UDP ports and/or ICMP identifiers that an IP subscriber can | |||
use, associated with an IPv4 address. | ||||
o IP-Port-Range:This attribute may be carried in RADIUS Access- | 2. IP-Port-Range: This attribute may be carried in RADIUS | |||
Accept, Accounting-Request or CoA-Request packet. The purpose of | Accounting-Request packet. The purpose of this attribute is to | |||
this attribute is to specify the range of TCP/UDP ports and/or | report by an address sharing device (e.g., a CGN) to the RADIUS | |||
ICMP identifiers that an IP subscriber can use associated with an | server the range of TCP/UDP ports and/or ICMP identifiers that | |||
IPv4 address. | have been allocated or deallocated associated with a given IPv4 | |||
address for a subscriber. | ||||
o IP-Port-Forwarding-Map:This attribute may be carried in RADIUS | 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS | |||
Access-Accept, Accounting-Request or CoA-Request packet. The | Access-Accept, Access-Request, Accounting-Request or CoA-Request | |||
purpose of this this attribute is to specify how a TCP/UDP port | packet. The purpose of this attribute is to specify how a TCP/ | |||
(or an ICMP identifier) mapping to another TCP/UDP port (or an | UDP port (or an ICMP identifier) mapping to another TCP/UDP port | |||
ICMP identifier). | (or an ICMP identifier), and each is associated with its | |||
respective IPv4 address. | ||||
This document was constructed using the [RFC2629] . | This document was constructed using the [RFC2629] . | |||
2. Terminology | 2. Terminology | |||
Some terms that are used in this document are listed as follows: | This document makes use if the following terms: | |||
o IP Port - This term refers to IP transport protocol port, | o IP Port: refers to the port numbers of IP transport protocols, | |||
including TCP port, UDP port and ICMP identifier. | including TCP port, UDP port and ICMP identifier. | |||
o IP Port Limit - This is the maximum number of TCP ports, or UDP | o IP Port Type: refers to one of the following: (1)TCP/UDP port and | |||
ports, or the total of the two, or ICMP identifiers, or the total | ICMP identifier, (2)TCP port and UDP port, (3) TCP port, (4) UDP | |||
of the three, that a device supporting port ranges can use when | port, or (5)ICMP identifier. | |||
performing mapping on TCP/ UDP ports or ICMP identifiers for a | ||||
specific user. | ||||
o IP Port Range - This specifies a set of TCP/UDP port numbers or | o IP Port Limit: denotes the maximum number of IP ports for a | |||
ICMP identifiers, indicated by the port/identifier with the | specific port type, that a device supporting port ranges can use | |||
smallest numerical number and the port/identifier with the largest | when performing port number mapping for a specific user. | |||
numerical number, inclusively. | ||||
o Internal IP Address - The IP address that is used as a source IP | o IP Port Range: specifies a set of contiguous IP ports, indicated | |||
address in an outbound IP packet sent toward a device supporting | by the smallest numerical number and the largest numerical number, | |||
port ranges in the internal realm. In IPv4 case, it is typically | inclusively. | |||
a private address [RFC1918]. | ||||
o External IP Address - The IP address that is used as a source IP | o Internal IP Address: refers to the IP address that is used as a | |||
address in an outbound IP packet after traversing a device | source IP address in an outbound IP packet sent towards a device | |||
supporting port ranges in the external realm. In IPv4 case, it is | supporting port ranges in the internal realm. In the IPv4 case, | |||
typically a global and routable IP address. | it is typically a private address [RFC1918]. | |||
o Internal Port - The internal port is a UDP or TCP port, or an ICMP | o External IP Address: refers to the IP address that is used as a | |||
identifier, which is allocated by a host or application behind a | source IP address in an outbound IP packet after traversing a | |||
device supporting port ranges for an outbound IP packet in the | device supporting port ranges in the external realm. In the IPv4 | |||
internal realm. | case, it is typically a global routable IP address. | |||
o External Port - The external port is a UDP or TCP port, or an ICMP | o Internal Port: is a UDP or TCP port, or an ICMP identifier, which | |||
identifier, which is allocated by a device supporting port ranges | is allocated by a host or application behind a device supporting | |||
upon receiving an outbound IP packet in the internal realm, and is | port ranges for an outbound IP packet in the internal realm. | |||
used to replace the internal port that is allocated by a user or | ||||
application. | ||||
o External realm - The networking segment where IPv4 public | o External Port: is a UDP or TCP port, or an ICMP identifier, which | |||
is allocated by a device supporting port ranges upon receiving an | ||||
outbound IP packet in the internal realm, and is used to replace | ||||
the internal port that is allocated by a user or application. | ||||
o External realm: refers to the networking segment where IPv4 public | ||||
addresses are used in respective of the device supporting port | addresses are used in respective of the device supporting port | |||
ranges. | ranges. | |||
o Internal realm - The networking segment that is behind a device | o Internal realm: refers to the networking segment that is behind a | |||
supporting port ranges and where IPv4 private addresses are used. | device supporting port ranges and where IPv4 private addresses are | |||
used. | ||||
o Mapping - This term in this document associates with a device | o Mapping: associates with a device supporting port ranges for a | |||
supporting port ranges for a relationship between an internal IP | relationship between an internal IP address, internal port and the | |||
address, internal port and the protocol, and an external IP | protocol, and an external IP address, external port, and the | |||
address, external port, and the protocol. | protocol. | |||
o Port-based device - A device that is capable of providing IP | o Port-based device: a device that is capable of providing IP | |||
address and TCP/UDP port mapping services and in particular, with | address and IP port mapping services and in particular, with the | |||
the granularity of one or more subsets within the 16-bit TCP/UDP | granularity of one or more subsets within the 16-bit IP port | |||
port number range. A typical example of this device can be a CGN, | number range. A typical example of this device is a CGN, CPE, | |||
CPE, Provider Wi-Fi Gateway, etc. | Provider WLAN Gateway, etc. | |||
Note the terms "internal IP address", "internal port", "internal | Note the terms "internal IP address", "internal port", "internal | |||
realm", "external IP address", "external port", "external realm", and | realm", "external IP address", "external port", "external realm", and | |||
"mapping" and their semantics are the same as in [RFC6887], and | "mapping" and their semantics are the same as in [RFC6887], and | |||
[RFC6888]. | [RFC6888]. | |||
3. RADIUS Attributes | 3. Extensions of RADIUS Attributes and TLVs | |||
[Discussion: Should we define a dedicated attribute | ||||
(port_set_policies) to configure the following policies: (1) | ||||
enforce port randomization, (2) include/exclude the WKP in the | ||||
port assignment, (3) preserve parity, (4) quota for explicit port | ||||
mapping, (5) DSCP marking policy, (6) Port hold down timer, (7) | ||||
port hold down pool, etc. Perhaps we don't need to cover all | ||||
these parameters. - The discussion should be in a separate draft | ||||
allowing this draft dedicated to RADIUS extension only.] | ||||
In this section, we define the details of the following three new | These three new attributes are defined in the following sub-sections: | |||
attributes: | ||||
o IP-Port-Limit Attribute | 1. IP-Port-Limit Attribute | |||
o IP-Port-Range Attribute | 2. IP-Port-Range Attribute | |||
o IP-Port-Forwarding-Map Attribute | 3. IP-Port-Forwarding-Map Attribute | |||
All these attributes are allocated from the RADIUS "Extended Type" | All these attributes are allocated from the RADIUS "Extended Type" | |||
code space per [RFC6929]. | code space per [RFC6929]. | |||
3.1. Extended-Type for IP-Port-Type | 3.1. Extended Attributes for IP Ports | |||
This section defines a new Extended-Type for IP port type. The IP | 3.1.1. Extended-Type and IP-Port-Type TLV | |||
port type may be one of the following: | ||||
o Refer to TCP port, UDP port, and ICMP identifier | This section defines a new Extended-Type and an IP-Port-Type TLV (see | |||
Figure 1). | ||||
o Refer to TCP port and UDP port | The IP port type may be one of the following: | |||
o Refer to TCP port | ||||
o Refer to UDP port | o TCP port, UDP port, and ICMP identifier | |||
o Refer to ICMP identifier | o TCP port and UDP port | |||
0 1 2 3 | o TCP port | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ | o UDP port | |||
| Type | Length | Extended-Type | Value..... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ | o ICMP identifier | |||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Type | Length | Extended-Type | TLV1-Type | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV1-Length | Value... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 1 | ||||
Type: | Type: | |||
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | |||
Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. | Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. | |||
Length: | Length: | |||
This field indicates the total length in octets of all fields this | This field indicates the total length in bytes of all fields this | |||
attribute, including the Type, Length, Extended-Type, and Value. | attribute, including the Type, Length, Extended-Type, and the | |||
embedded TLVs. | ||||
Extended-Type: | Extended-Type: | |||
This one octet field indicates the IP port as follows: | TBA2. | |||
TBA1-1: | TLV1-Type: | |||
Type field of IP-Port-Type TLV. This one byte field indicates the | ||||
IP port type as follows: | ||||
TBA2-1: | ||||
Refer to TCP port, UDP port, and ICMP identifier as a whole. | Refer to TCP port, UDP port, and ICMP identifier as a whole. | |||
TBA1-2: | TBA2-2: | |||
Refer to TCP port and UDP port as a whole. | Refer to TCP port and UDP port as a whole. | |||
TBA1-3: | TBA2-3: | |||
Refer to TCP port only. | Refer to TCP port only. | |||
TBA1-4: | TBA2-4: | |||
Refer to UDP port only. | Refer to UDP port only. | |||
TBA1-5: | TBA2-5: | |||
Refer to ICMP identifier only. | Refer to ICMP identifier only. | |||
TLV1-Length: | ||||
Length field of IP-Port-Type TLV. This field indicates the total | ||||
length in bytes of the TLV1, including the field of TLV1-Type, | ||||
TLV1-Length, and the Value. | ||||
Value: | Value: | |||
This field contains one or more octects, and the data format MUST | Value field of IP-Port-Type TLV. This field contains one or more | |||
be a valid RADIUS data type. | TLVs, refer to Section 3.1.2, Section 3.1.3, Section 3.1.4 for | |||
details. | ||||
The interpretation of this field is determined by the identifier | The interpretation of this field is determined by the identifier | |||
of "TBA1.{TBA1-1..TBA1-5} along with the embedded TLV. | of "TBA1.TBA2.{TBA2-1..TBA2-5} along with the embedded TLVs. | |||
3.2. IP-Port-Limit Attribute | 3.1.2. IP-Port-Limit Attribute | |||
This attribute contains an Extended-Type along with a TLV data type | This attribute contains the Extended-Type and IP-Port-Type TLV | |||
with format defined in [RFC6929]. It specifies the maximum number of | defined in Section 3.1.1, along with the embedded IP-Port-Limit TLV | |||
IP ports for a user. | and IP-Port-Ext-IPv4-Addr TLV, defined in Section 3.2.1 and | |||
Section 3.2.2, respectively. It specifies the maximum number of IP | ||||
ports, as indicated in IP-Port-Limit TLV, of a specific port type, | ||||
and associated with a given IPv4 address, as indicated in IP-Port- | ||||
Ext-IPv4-Addr TLV for an end user. Note that when IP-Port-Ext- | ||||
IPv4-Addr TLV is not included as part of the IP-Port-Limit Attribute, | ||||
the port limit is applied to all the IPv4 addresses managed by the | ||||
port device, e.g., a CGN or NAT64 device. | ||||
The IP-Port-Limit MAY appear in an Access-Accept packet, it MAY also | The IP-Port-Limit Attribute MAY appear in an Access-Accept packet. | |||
appear in an Access-Request packet as a hint by the device supporting | It MAY also appear in an Access-Request packet as a hint by the | |||
port ranges, which is co-allocated with the NAS, to the RADIUS server | device supporting port ranges, which is co-allocated with the NAS, to | |||
as a preference, although the server is not required to honor such a | the RADIUS server as a preference, although the server is not | |||
hint. | required to honor such a hint. | |||
The IP-Port-Limit MAY appear in an CoA-Request packet. | The IP-Port-Limit Attribute MAY appear in a CoA-Request packet. | |||
The IP-Port-Limit MAY appear in an Accounting-Request packet. | The IP-Port-Limit Attribute MAY appear in an Accounting-Request | |||
packet. | ||||
The IP-Port-Limit MUST NOT appear in any other RADIUS packets. | The IP-Port-Limit Attribute MUST NOT appear in any other RADIUS | |||
packets. | ||||
The format of the IP-Port-Limit RADIUS attribute format is shown | The format of the IP-Port-Limit Attribute is shown in Figure 2. The | |||
below. The fields are transmitted from left to right. | fields are transmitted from left to right. | |||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Length | Extended-Type | TLV-Type | | | Type | Length | Extended-Type | TLV1-Type | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| TLV-Length | IP-Port-Limit | | | TLV1-Length | Value .... | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
Figure 2 | ||||
Type: | Type: | |||
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | |||
Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. | Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. | |||
Length: | Length: | |||
This field indicates the total length in octets of all fields of | This field indicates the total length in bytes of all fields of | |||
this attribute, including the Type, Length, Extended-Type, and the | this attribute, including the Type, Length, Extended-Type, and the | |||
entire length of the embedded TLV. | entire length of the embedded TLVs. | |||
Extended-Type: | Extended-Type: | |||
This one octet field contains a value that indicates the IP port | TBA2 - This one byte field contains a value that indicates the IP | |||
type, refer to Section 3.1 for details. | port type, refer to Section 3.1.1 for detail. | |||
TLV-Type: | TLV1-Type: | |||
TBA2: for IP-Port-Limit TLV. | TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1 | |||
for detail. | ||||
TLV-Length: | TLV1-Length: | |||
4. | This field indicates the total length in bytes of the TLV1, | |||
including the field of TLV1-Type, TLV1-Length, and the entire | ||||
length of the embedded TLVs. | ||||
IP-Port-Limit: | Value: | |||
This field contains the maximum number of IP ports of which, the | This field contains a set of TLVs as follows: | |||
port type is specified by the value contained in the Extended-Type | ||||
field. | ||||
Note this field is semantically associated with the identifier | IP-Port-Limit TLV: | |||
"TBA1.{TBA1-1..TBA1-5}. | ||||
3.3. IP-Port-Range Attribute | This TLV contains the maximum number of IP ports of a specific | |||
IP port type and associated with a given IPv4 address for an | ||||
end user. This TLV must be included in the IP-Port-Limit | ||||
Attribute. Refer to Section 3.2.1. | ||||
This attribute contains an Extended-Type along with a TLV data type | IP-Port-Ext-IPv4-Addr TLV: | |||
with format defined in [RFC6929]. It contains a range of numbers for | ||||
IP ports allocated by a device supporting port ranges for a given | ||||
subscriber along with an external IPv4 address. | ||||
In some CGN deployment scenarios as described such as L2NAT | This TLV contains the IPv4 address that is associated with the | |||
[I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight | IP port limit contained in the IP-Port-Limit TLV. This TLV is | |||
4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise | optionally included as part of the IP-Port-Limit Attribute. | |||
such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 | Refer to Section 3.2.2. | |||
prefix, VRF ID, etc., may also be required to pass to the RADIUS | ||||
server as part of the accounting record. | ||||
The IP-Port-Range MAY appear in an Accounting-Request packet. | IP-Port-Limit attribute is associated with the following identifier: | |||
Type(TBA1).Extended-Type(TBA2).IP-Port-Type TLV{TBA2-1..TBA2-5}.[IP- | ||||
Port-Limit TLV(TBA3), {IP-Port-Ext-IPv4-Addr TLV (TBA4)}]. | ||||
The IP-Port-Range MUST NOT appear in any other RADIUS packets. | 3.1.3. IP-Port-Range Attribute | |||
The format of the IP-Port-Range RADIUS attribute format is shown | This attribute contains the Extended-Type and IP-Port-Type TLV | |||
below. The fields are transmitted from left to right. | defined in Section 3.1.1, along with a set of embedded TLVs defined | |||
in Section 3.2.7 (IP-Port-Range-Start TLV), Section 3.2.8 (IP-Port- | ||||
Range-End TLV), Section 3.2.6 (IP-Port-Alloc TLV), Section 3.2.2 (IP- | ||||
Port-Ext-IPv4-Addr TLV), and Section 3.2.9 (IP-Port-Local-Id TLV). | ||||
It contains a range of contiguous IP ports of a specific port type | ||||
and associated with an IPv4 address that are either allocated or | ||||
deallocated by a device for a given subscriber, and the information | ||||
is intended to send to RADIUS server. | ||||
This attribute can be used to convey a single IP port number; in such | ||||
case IP-Port-Range-Start and IP-Port-Range-End conveys the same | ||||
value. | ||||
Within an IP-Port-Range Attribute, the IP-Port-Alloc TLV is always | ||||
included. For port allocation, both IP-Port-Range-Start TLV and IP- | ||||
Port-Range-End TLV must be included; for port deallocation, the | ||||
inclusion of these two TLVs is optional and if not included, it | ||||
implies that all ports that are previously allocated are now | ||||
deallocated. Both IP-Port-Ext-IPv4-Addr TLV and IP-Port-Local-Id TLV | ||||
are optional and if included, they are used by a port device (e.g., a | ||||
CGN device) to identify the end user. | ||||
The IP-Port-Range Attribute MAY appear in an Accounting-Request | ||||
packet. | ||||
The IP-Port-Range Attribute MUST NOT appear in any other RADIUS | ||||
packets. | ||||
The format of the IP-Port-Range Attribute format is shown in | ||||
Figure 3. The fields are transmitted from left to right. | ||||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Length | Extended-Type | TLV-Type | | | Type | Length | Extended-Type | TLV1-Type | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV-Length | Reserved | Port Range Start | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Port range End | External IPv4 Address | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| External IPv4 Address | Local Session ID .... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| TLV1-Length | Value .... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 3 | ||||
Type: | Type: | |||
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | |||
Type-3 (243), or Extended-Type-4 (244) per [RFC6929] | Type-3 (243), or Extended-Type-4 (244) per [RFC6929] | |||
Length: | Length: | |||
This field indicates the total length in octets of all fields of | This field indicates the total length in bytes of all fields of | |||
this attribute, including the Type, Length, Extended-Type, and the | this attribute, including the Type, Length, Extended-Type, and the | |||
entire length of the embedded TLV. | entire length of the embedded TLVs. | |||
Extended-Type: | Extended-Type: | |||
This one octet field contains a value that indicates the IP port | TBA2 - This one byte field contains a value that indicates the IP | |||
type, refer to Section 3.1 for details. | port type, refer to Section 3.1.1 for detail. | |||
TLV-Type: | TLV1-Type: | |||
TBA3: | TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1 | |||
for detail. | ||||
Allocation for IP-Port-Range TLV. | TLV1-Length: | |||
TBA4: | This field indicates the total length in bytes of the TLV1, | |||
including the field of TLV1-Type, TLV1-Length, and the entire | ||||
length of the embedded TLVs. | ||||
De-allocation for IP-Port-Range TLV. | Value: | |||
TLV-Length: | This field contains a set of TLVs as follows: | |||
>=11. | IP-Port-Alloc TLV: | |||
Reserved: | This TLV contains a flag to indicate that the range of the | |||
specified IP ports for either allocation or deallocation. This | ||||
TLV must be included as part of the IP-Port-Range Attribute. | ||||
Refer to Section 3.2.6. | ||||
This field MUST be set to zero by the sender and ignored by the | IP-Port-Range-Start TLV: | |||
receiver. | ||||
Port Range Start: | This TLV contains the smallest port number of a range of | |||
contiguous IP ports. To report the port allocation, this TLV | ||||
must be included together with IP-Port-Range-End TLV as part of | ||||
the IP-Port-Range Attribute. Refer to Section 3.2.7. | ||||
This field contains the smallest IP port number, as specified in | IP-Port-Range-End TLV: | |||
the Extended-Type, in the IP port range. | ||||
Port Range End: | This TLV contains the largest port number of a range of | |||
contiguous IP ports. To report the port allocation, this TLV | ||||
must be included together with IP-Port-Range-Start TLV as part | ||||
of the IP-Port-Range Attribute. Refer to Section 3.2.8. | ||||
This field contains the largest IP port number, as specified in | IP-Port-Ext-IPv4-Addr TLV: | |||
the Extended-Type, in the IP port range. | ||||
External IPv4 Address: | This TLV contains the IPv4 address that is associated with the | |||
IP port range, as collectively indicated in the IP-Port-Range- | ||||
Start TLV and the IP-Port-Range-End TLV. This TLV is | ||||
optionally included as part of the IP-Port-Range Attribute. | ||||
Refer to Section 3.2.2. | ||||
This field contains the IPv4 address assigned to the associated | IP-Port-Local-Id TLV: | |||
subscriber to be used in the external realm. If set to 0.0.0.0, | ||||
the allocation address policy is local to the device supporting | ||||
port ranges. | ||||
Local Session ID: | This TLV contains a local session identifier at the customer | |||
premise, such as MAC address, interface ID, VLAN ID, PPP | ||||
sessions ID, VRF ID, IPv6 address/prefix, etc. This TLV is | ||||
optionally included as part of the IP-Port-Range Attribute. | ||||
Refer to Section 3.2.9. | ||||
This is an optional field and if presents, it contains a local | The IP-Port-Range attribute is associated with the following | |||
session identifier at the customer premise, such as MAC address, | identifier: Type(TBA1).Extended-Type(TBA2).IP-Port-Type | |||
interface ID, VLAN ID, PPP sessions ID, VRF ID, IPv6 address/ | TLV{TBA2-1..TBA2-5}.[IP-Port-Alloc TLV(TBA8), {IP-Port-Range-Start | |||
prefix, etc. The length of this field equals to the value in the | TLV (TBA9), IP-Port-Range-End TLV (TBA10)}, {IP-Port-Ext-IPv4-Addr | |||
TLV Length field minus 11 octets. If this field is not present, | TLV (TBA4)}, {IP-Port-Local-Id TLV (TBA11)}]. | |||
the port range policies must be enforced to all subscribers using | ||||
a local subscriber identifier. | ||||
Note the data group in the "TLV Value" field above (i.e., "Port Range | 3.1.4. IP-Port-Forwarding-Map Attribute | |||
Start", "Port Range End", "External IPv4 Address", and "Local Session | ||||
ID") is indicated by the identifier | ||||
TBA1.{TBA1-1..TBA1-5}.{TBA3..TBA4}. | ||||
3.4. IP-Port-Forwarding-Map Attribute | This attribute contains the Extended-Type and IP-Port-Type TLV | |||
defined in Section 3.1.1,along with a set of embedded TLVs defined in | ||||
Section 3.2.4 (IP-Port-Int-Port TLV), Section 3.2.5 (IP-Port-Ext-Port | ||||
TLV), Section 3.2.3 (IP-Port-Int-IP-Addr TLV), Section 3.2.9(IP-Port- | ||||
Local-Id TLV) and Section 3.2.2 (IP-Port-Ext-IP-Addr TLV). The | ||||
attribute contains a 2-byte IP internal port number that is | ||||
associated with an internal IPv4 or IPv6 address, or a locally | ||||
significant identifier at the customer site, and a 2-byte IP external | ||||
port number that is associated with an external IPv4 address. The | ||||
internal IPv4 or IPv6 address, or the local identifier must be | ||||
included; the external IPv4 address may also be included. | ||||
This attribute contains an Extended-Type along with a TLV data type | The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept | |||
with format defined in [RFC6929]. It contains a 16-bit Internal Port | packet. It MAY also appear in an Access-Request packet as a hint by | |||
that identifies the source TCP/UDP port number of an IP packet sent | the device supporting port mapping, which is co-allocated with the | |||
by the user, or the destination port number of an IP packet destined | NAS, to the RADIUS server as a preference, although the server is not | |||
to the user, and in both cases, the IP packet travels behind the NAT | required to honor such a hint. | |||
device. Also it contains a 16-bit Configured External Port that | ||||
identifies the source TCP/UDP port number of an IP packet sent by the | ||||
user, or the destination port number of an IP packet destined to the | ||||
user, and in both cases, the IP packet travels outside of the NAT | ||||
device. In addition, the attribute may contain a 32-bit IPv4 address | ||||
or a 128-bit IPv6 address, respectively, as their respective NAT | ||||
mappings internal IP address. Together, the port pair and IP address | ||||
determine the port mapping rule for a specific IP flow that traverses | ||||
a NAT device. | ||||
The attribute MAY appear in an Access-Accept packet, and may also | The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request | |||
appear in an Accounting-Request packet. In either case, the | packet. | |||
attribute MUST NOT appear more than once in a single packet. | ||||
The attribute MUST NOT appear in any other RADIUS packets. | The IP-Port-Forwarding-Map Attribute MAY also appear in an | |||
Accounting-Request packet. | ||||
The format of the Port-Forwarding-Map RADIUS attribute format is | The attribute MUST NOT appear in any other RADIUS packet. | |||
shown below. The fields are transmitted from left to right. | ||||
The format of the IP-Port-Forwarding-Map Attribute is shown in | ||||
Figure 4. The fields are transmitted from left to right. | ||||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Length | Extended-Type | TLV-Type | | | Type | Length | Extended-Type | TLV1-Type | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV-Length | Resevered | Internal Port | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Configured External Port | Internal IP Address ..... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| TLV1-Length | Value .... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Type: | Figure 4 | |||
Type: | Type: | |||
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- | |||
Type-3 (243), or Extended-Type-4 (244) per [RFC6929] | Type-3 (243), or Extended-Type-4 (244) per [RFC6929] | |||
Length: | Length: | |||
This field indicates the total length in octets of all fields of | This field indicates the total length in bytes of all fields of | |||
this attribute, including the Type, Length, Extended-Type, and the | this attribute, including the Type, Length, Extended-Type, and the | |||
entire length of the embedded TLV. | entire length of the embedded TLVs. | |||
Extended-Type: | Extended-Type: | |||
This one octet field contains a value that indicates the IP port | This one byte field contains a value that indicates the IP port | |||
type, refer to Section 3.1 for details. | type, refer to Section 3.1.1 for details. | |||
TLV-Type: | TLV1-Type: | |||
TBA5 - It indicates IP port mapping, and the associated internal | TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1 | |||
IP address is an IPv4 or IPv6 address, or not included. | for detail. | |||
TLV-Length: | TLV1-Length: | |||
>=7. | This field indicates the total length in bytes of the TLV1, | |||
including the field of TLV1-Type, TLV1-Length, and the entire | ||||
length of the embedded TLVs. | ||||
Reserved: | Value: | |||
This field is set to zero by the sender and ignored by the | This field contains a set of TLVs as follows: | |||
receiver. | ||||
Internal Port: | IP-Port-Int-Port TLV: | |||
This field contains the internal port for the CGN mapping. | This TLV contains an internal IP port number associated with an | |||
internal IPv4 or IPv6 address. This TLV must be included | ||||
together with IP-Port-Ext-Port TLV as part of the IP-Port- | ||||
Forwarding-Map attribute. Refer to Section 3.2.4. | ||||
Configured External Port: | IP-Port-Ext-Port TLV: | |||
This field contains the external port for the CGN mapping. | This TLV contains an external IP port number associated with an | |||
external IPv4 address. This TLV must be included together with | ||||
IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map | ||||
attribute. Refer to Section 3.2.5. | ||||
Internal IP Address: | IP-Port-Int-IP-Addr TLV: | |||
This field may or may not present, and when it does, contains the | This TLV contains an IPv4 or IPv6 address that is associated | |||
internal IPv4 or IPv6 address for the CGN mapping. Its length | with the internal IP port number contained in the IP-Port-Int- | |||
equal to the value in the TLV Length field minus 7. | Port TLV. Either this TLV or IP-Port-Local-Id TLV must be | |||
included as part of the IP-Port-Forwarding-Map Attribute. | ||||
Refer to Section 3.2.3. | ||||
Note the data group in the "TLV Value" field above (i.e., "Internal | IP-Port-Local-Id TLV: | |||
Port", "Configured External Port", and "Internal IP Address") is | ||||
indicated by the identifier TBA1.{TBA1-1..TBA1-5}.TBA5. | This TLV contains a local session identifier at the customer | |||
premise, such as MAC address, interface ID, VLAN ID, PPP | ||||
sessions ID, VRF ID, IPv6 address/prefix, etc. Either this TLV | ||||
or IP-Port-Int-IP-Addr TLV must be included as part of the IP- | ||||
Port-Forwarding-Map Attribute. Refer to Section 3.2.9. | ||||
IP-Port-Ext-IPv4-Addr TLV: | ||||
This TLV contains an IPv4 address that is associated with the | ||||
external IP port number contained in the IP-Port-Ext-Port TLV. | ||||
This TLV may be included as part of the IP-Port-Forwarding-Map | ||||
Attribute. Refer to Section 3.2.2. | ||||
The IP-Port-Forwarding-Map attribute is associated with the following | ||||
identifier: Type(TBA1).Extended-Type(TBA2).IP-Port-Type | ||||
TLV{TBA2-1..TBA2-5}.[IP-Port-Int-Port TLV(TBA6), IP-Port-Ext-Port | ||||
TLV(TBA7), {IP-Port-Int-IP-Addr TLV (TBA5)}, {IP-Port-Ext-IPv4-Addr | ||||
TLV (TBA4)}]. | ||||
3.2. RADIUS TLVs for IP Ports | ||||
3.2.1. IP-Port-Limit TLV | ||||
This TLV (Figure 5) uses the format defined in [RFC6929]. Its Value | ||||
field contains a 2-byte integer called IP-Port-Limit, which indicates | ||||
the maximum number of ports of a specified IP-Port-Type and | ||||
associated with a given IPv4 address assigned to a subscriber. | ||||
IP-Port-Limit TLV is included as part of the IP-Port-Limit Attribute | ||||
(refer to Section 3.1.2). | ||||
Note that IP-Port-Limit TLV is embedded within IP-Port-Type TLV | ||||
(refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV2-Type | TLV2-Length | IP-Port-Limit | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 5 | ||||
TLV2-Type: | ||||
TBA3: The type field for IP-Port-Limit TLV. | ||||
TLV2-Length: | ||||
This field indicates the total length in bytes of the TLV2, | ||||
including the field of TLV2-Type, TLV2-Length, and the Value | ||||
field, i.e., IP-Port-Limit. | ||||
IP-Port-Limit: | ||||
2-byte integer. This field contains the maximum number of IP | ||||
ports of which, the port type is specified by container IP-Port- | ||||
Type TLV. | ||||
3.2.2. IP-Port-Ext-IPv4-Addr TLV | ||||
This TLV (Figure 6) uses the format defined in[RFC6929]. Its Value | ||||
field contains a 4-byte External IPv4 address. | ||||
IP-Port-Ext-IPv4-Addr TLV can be included as part of the IP-Port- | ||||
Limit Attribute (refer to Section 3.1.2), IP-Port-Range Attribute | ||||
(refer to Section 3.1.3), and IP-Port-Forwarding-Map Attribute (refer | ||||
to Section 3.1.4). | ||||
Note that IP-Port-Ext-IPv4-Addr TLV is embedded within IP-Port-Type | ||||
TLV (refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV3-Type | TLV3-Length | IP-Port-Ext-IPv4-Addr | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| IP-Port-Ext-IPv4-Addr | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 6 | ||||
TLV3-Type: | ||||
TBA4: The type field for IP-Port-IPv4-Addr TLV. | ||||
TLV3-Length: | ||||
6. The Length field for IP-Port-IPv4-Addr TLV. | ||||
IP-Port-Ext-IPv4-Addr: | ||||
4-byte integer. This field contains the IPv4 address that is | ||||
associated with the range of IP ports. | ||||
3.2.3. IP-Port-Int-IP-Addr TLV | ||||
This TLV (Figure 7) uses format defined in [RFC6929]. Its Value | ||||
field contains an internal IPv4 or IPv6 address. | ||||
IP-Port-Int-IP-Addr TLV can be included as part of the IP-Port- | ||||
Forwarding-Map Attribute (refer to Section 3.1.4). | ||||
Note that IP-Port-Int-IP-Addr TLV is embedded within IP-Port-Type TLV | ||||
(refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV4-Type | TLV4-Length | IP-Port-Int-IP-Addr.... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 7 | ||||
TLV4-Type: | ||||
TBA5: The type field for IP-Port-Int-IP-Addr TLV. | ||||
TLV4-Length: | ||||
6 or 18 bytes. The Length field for IP-Port-Int-IP-Addr TLV. | ||||
IP-Port-Int-IP-Addr: | ||||
4 byte integer for IPv4 address or 16 byte for IPv6 address. | ||||
3.2.4. IP-Port-Int-Port TLV | ||||
This TLV (Figure 8) uses format defined in [RFC6929]. Its Value | ||||
field contains an internal IP port number that is associated with an | ||||
internal IPv4 or IPv6 address. | ||||
IP-Port-Int-Port TLV is included as part of the IP-Port-Forwarding- | ||||
Map Attribute (refer to Section 3.1.4). | ||||
IP-Port-Int-Port TLV is embedded within embedded within IP-Port-Type | ||||
TLV (refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV5-Type | TLV5-Length | IP-Port-Int-Port | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 8 | ||||
TLV5-Type: | ||||
TBA6: The type field for IP-Port-Int-Port TLV. | ||||
TLV5-Length: | ||||
4 bytes. The Length field for IP-Port-Int-Port TLV. | ||||
IP-Port-Int-Port: | ||||
2 byte integer. The internal IP port number that is associated | ||||
with an IPv4 or IPv6 address. | ||||
3.2.5. IP-Port-Ext-Port TLV | ||||
This TLV (Figure 9) uses format defined in [RFC6929]. Its Value | ||||
field contains an external IP port number that is associated with an | ||||
external IPv4 address. | ||||
IP-Port-Ext-Port TLV is included as part of the IP-Port-Forwarding- | ||||
Map Attribute (refer to Section 3.1.4). | ||||
IP-Port-Ext-Port TLV is embedded within IP-Port-Type TLV (refer to | ||||
Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV6-Type | TLV6-Length | IP-Port-Ext-Port | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 9 | ||||
TLV6-Type: | ||||
TBA7: The type field for IP-Port-Ext-Port TLV. | ||||
TLV6-Length: | ||||
4 bytes. The Length field for IP-Port-Ext-Port TLV. | ||||
IP-Port-Ext-Port: | ||||
2 byte integer. The external IP port number that is associated | ||||
with an IPv4 address. | ||||
3.2.6. IP-Port-Alloc TLV | ||||
This TLV (Figure 10) uses format defined in [RFC6929]. Its Value | ||||
field contains a 2-byte integer called IP-Port-Alloc, which indicates | ||||
either the allocation or deallocation of a range of IP ports. | ||||
IP-Port-Alloc TLV is included as part of the IP-Port-Range Attribute | ||||
(refer to Section 3.1.3). | ||||
Note that IP-Port-Alloc TLV is embedded within IP-Port-Type TLV | ||||
(refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV7-Type | TLV7-Length | IP-Port-Alloc | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 10 | ||||
TLV7-Type: | ||||
TBA8: The type field for IP-Port-Alloc TLV. | ||||
TLV7-Length: | ||||
4. The Length field for IP-Port-Alloc TLV. | ||||
IP-Port-Alloc: | ||||
2-byte integer. This field indicates the allocation or | ||||
deallocation of a range of IP ports as follows: | ||||
0: | ||||
Allocation | ||||
1: | ||||
Deallocation | ||||
3.2.7. IP-Port-Range-Start TLV | ||||
This TLV (Figure 11) uses format defined in [RFC6929]. Its Value | ||||
field contains a 2-byte integer called IP-Port-Range-Start, which | ||||
indicates the smallest port number of a range of contiguous IP ports. | ||||
IP-Port-Range-Start TLV is included as part of the IP-Port-Range | ||||
Attribute (refer to Section 3.1.3). | ||||
Note that IP-Port-Range-Start TLV is embedded within IP-Port-Type TLV | ||||
(refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV8-Type | TLV8-Length | IP-Port-Range-Start | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 11 | ||||
TLV8-Type: | ||||
TBA9: The type field for IP-Port-Range-Start TLV. | ||||
TLV8-Length: | ||||
4. The Length field for IP-Port-Range-Start TLV. | ||||
IP-Port-Range-Start: | ||||
2-byte integer. This field contains the smallest port number of a | ||||
range of contiguous IP ports. | ||||
3.2.8. IP-Port-Range-End TLV | ||||
This TLV (Figure 12) uses format defined in [RFC6929]. Its Value | ||||
field contains a 2-byte integer called IP-Port-Range-End, which | ||||
indicates largest port number of a range of contiguous IP ports. | ||||
IP-Port-Range-End TLV is included as part of the IP-Port-Range | ||||
Attribute (refer to Section 3.1.3). | ||||
Note that IP-Port-Range-End TLV is embedded within IP-Port-Type TLV | ||||
(refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV9-Type | TLV9-Length | IP-Port-Range-End | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 12 | ||||
TLV9-Type: | ||||
TBA10: The type field for IP-Port-Range-End TLV. | ||||
TLV9-Length: | ||||
4. The Length field for IP-Port-Range-End TLV. | ||||
IP-Port-Range-End: | ||||
2-byte integer. This field contains the largest port number of a | ||||
range of contiguous IP ports. | ||||
3.2.9. IP-Port-Local-Id TLV | ||||
This TLV (Figure 13) uses format defined in [RFC6929]. Its Value | ||||
field contains an identifier with local significance. | ||||
In some CGN deployment scenarios as described such as L2NAT | ||||
[I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight | ||||
4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise | ||||
such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 | ||||
prefix, VRF ID, etc., may also be required to pass to the RADIUS | ||||
server as part of the accounting record. | ||||
IP-Port-Local-Id TLV can be included as part of the IP-Port-Range | ||||
Attribute (refer to Section 3.1.3) and IP-Port-Forwarding-Map | ||||
Attribute (refer to Section 3.1.4). | ||||
Note that IP-Port-Local-Id TLV is embedded within IP-Port-Type TLV | ||||
(refer to Section 3.1.1) for detail. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| TLV10-Type | TLV10-Length | IP-Port-Local-Id... | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Figure 13 | ||||
TLV10-Type: | ||||
TBA11: The type field for IP-Port-Local-Id TLV. | ||||
TLV10-Length: | ||||
Variable number of bytes. The Length field for IP-Port-Local-Id | ||||
TLV. | ||||
IP-Port-Local-Id: | ||||
This is a local session identifier at the customer premise, such | ||||
as MAC address, interface ID, VLAN ID, PPP sessions ID, VRF ID, | ||||
IPv6 address/prefix, etc. The length of this field is the value | ||||
contained in TLV7-Length field minus 2. | ||||
4. Applications, Use Cases and Examples | 4. Applications, Use Cases and Examples | |||
This section describes some applications and use cases to illustrate | This section describes some applications and use cases to illustrate | |||
the use of the attributes propsoed in this document. | the use of the attributes proposed in this document. | |||
4.1. Managing CGN Port Behavior using RADIUS | 4.1. Managing CGN Port Behavior using RADIUS | |||
In a broadband network, customer information is usually stored on a | In a broadband network, customer information is usually stored on a | |||
RADIUS server, and the BNG hosts the NAS. The communication between | RADIUS server, and the BNG hosts the NAS. The communication between | |||
the NAS and the RADIUS server is triggered by a subscriber when the | the NAS and the RADIUS server is triggered by a subscriber when the | |||
user signs in to the Internet service, where either PPP or DHCP/ | user signs in to the Internet service, where either PPP or DHCP/ | |||
DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access- | DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access- | |||
Request message to the RADIUS server. The RADIUS server validates | Request message to the RADIUS server. The RADIUS server validates | |||
the request, and if the validation succeeds, it in turn sends back a | the request, and if the validation succeeds, it in turn sends back a | |||
skipping to change at page 13, line 34 | skipping to change at page 22, line 43 | |||
Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single | Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single | |||
IPv4 public address may be shared by hundreds or even thousands of | IPv4 public address may be shared by hundreds or even thousands of | |||
subscribers. As indicated in [RFC6269], it is therefore necessary to | subscribers. As indicated in [RFC6269], it is therefore necessary to | |||
impose limits on the total number of ports available to an individual | impose limits on the total number of ports available to an individual | |||
subscriber to ensure that the shared resource, i.e., the IPv4 address | subscriber to ensure that the shared resource, i.e., the IPv4 address | |||
remains available in some capacity to all the subscribers using it, | remains available in some capacity to all the subscribers using it, | |||
and port limiting is also documented in [RFC6888] as a requirement. | and port limiting is also documented in [RFC6888] as a requirement. | |||
The IP port limit imposed to a specific subscriber may be on the | The IP port limit imposed to a specific subscriber may be on the | |||
total number of TCP and UDP ports plus the number of ICMP | total number of TCP and UDP ports plus the number of ICMP | |||
identifiers, or with other granularities as defined in Section 3.2. | identifiers, or with other granularities as defined in Section 3.1.2. | |||
The per-subscriber based IP port limit is configured on a RADIUS | The per-subscriber based IP port limit is configured on a RADIUS | |||
server, along with other user information such as credentials. The | server, along with other user information such as credentials. The | |||
value of these IP port limit is based on service agreement and its | value of these IP port limit is based on service agreement and its | |||
specification is out of the scope of this document. | specification is out of the scope of this document. | |||
When a subscriber signs in to the Internet service successfully, the | When a subscriber signs in to the Internet service successfully, the | |||
IP port limit for the subscriber is passed to the BNG based NAS, | IP port limit for the subscriber is passed to the BNG based NAS, | |||
where CGN also locates, using a new RADIUS attribute called IP-Port- | where CGN also locates, using a new RADIUS attribute called IP-Port- | |||
Limit (defined in Section 3.2), along with other configuration | Limit (defined in Section 3.1.2), along with other configuration | |||
parameters. While some parameters are passed to the subscriber, the | parameters. While some parameters are passed to the subscriber, the | |||
IP port limit is recorded on the CGN device for imposing the usage of | IP port limit is recorded on the CGN device for imposing the usage of | |||
TCP/UDP ports and ICMP identifiers for that subscriber. | TCP/UDP ports and ICMP identifiers for that subscriber. | |||
Figure 1 illustrates how RADIUS protocol is used to configure the | Figure 14 illustrates how RADIUS protocol is used to configure the | |||
maximum number of TCP/UDP ports for a given subscriber on a NAT44 | maximum number of TCP/UDP ports for a given subscriber on a NAT44 | |||
device. | device. | |||
User NAT44/NAS AAA | User NAT44/NAS AAA | |||
| BNG Server | | BNG Server | |||
| | | | | | | | |||
| | | | | | | | |||
|----Service Request------>| | | |----Service Request------>| | | |||
| | | | | | | | |||
| |-----Access-Request -------->| | | |-----Access-Request -------->| | |||
skipping to change at page 14, line 24 | skipping to change at page 23, line 33 | |||
| | (IP-Port-Limit) | | | | (IP-Port-Limit) | | |||
| | (for TCP/UDP ports) | | | | (for TCP/UDP ports) | | |||
|<---Service Granted ------| | | |<---Service Granted ------| | | |||
| (other parameters) | | | | (other parameters) | | | |||
| | | | | | | | |||
| (NAT44 external port | | | (NAT44 external port | | |||
| allocation and | | | allocation and | | |||
| IPv4 address assignment) | | | IPv4 address assignment) | | |||
| | | | | | | | |||
Figure 1: RADIUS Message Flow for Configuring NAT44 Port Limit | Figure 14: RADIUS Message Flow for Configuring NAT44 Port Limit | |||
The IP port limit created on a CGN device for a specific user using | The IP port limit created on a CGN device for a specific user using | |||
RADIUS extension may be changed using RADIUS CoA message [RFC5176] | RADIUS extension may be changed using RADIUS CoA message [RFC5176] | |||
that carries the same RADIUS attribute. The CoA message may be sent | that carries the same RADIUS attribute. The CoA message may be sent | |||
from the RADIUS server directly to the NAS, which once accepts and | from the RADIUS server directly to the NAS, which once accepts and | |||
sends back a RADIUS CoA ACK message, the new IP port limit replaces | sends back a RADIUS CoA ACK message, the new IP port limit replaces | |||
the previous one. | the previous one. | |||
Figure 2 illustrates how RADIUS protocol is used to increase the TCP/ | Figure 15 illustrates how RADIUS protocol is used to increase the | |||
UDP port limit from 1024 to 2048 on a NAT44 device for a specific | TCP/UDP port limit from 1024 to 2048 on a NAT44 device for a specific | |||
user. | user. | |||
User NAT/NAS AAA | User NAT/NAS AAA | |||
| BNG Server | | BNG Server | |||
| | | | | | | | |||
| TCP/UDP Port Limit (1024) | | | TCP/UDP Port Limit (1024) | | |||
| | | | | | | | |||
| |<---------CoA Request----------| | | |<---------CoA Request----------| | |||
| | (IP-Port-Limit) | | | | (IP-Port-Limit) | | |||
| | (for TCP/UDP ports) | | | | (for TCP/UDP ports) | | |||
| | | | | | | | |||
| TCP/UDP Port Limit (2048) | | | TCP/UDP Port Limit (2048) | | |||
| | | | | | | | |||
| |---------CoA Response--------->| | | |---------CoA Response--------->| | |||
| | | | | | | | |||
Figure 2: RADIUS Message Flow for changing a user's NAT44 port limit | Figure 15: RADIUS Message Flow for changing a user's NAT44 port limit | |||
4.1.2. Report IP Port Allocation/De-allocation | 4.1.2. Report IP Port Allocation/De-allocation | |||
Upon obtaining the IP port limit for a subscriber, the CGN device | Upon obtaining the IP port limit for a subscriber, the CGN device | |||
needs to allocate a TCP/UDP port or an ICMP identifiers for the | needs to allocate a TCP/UDP port or an ICMP identifiers for the | |||
subscriber when receiving a new IP flow sent from that subscriber. | subscriber when receiving a new IP flow sent from that subscriber. | |||
As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP | As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP | |||
identifiers once at a time for a specific user, instead of one port/ | identifiers once at a time for a specific user, instead of one port/ | |||
identifier at a time, and within each port bulk, the ports/ | identifier at a time, and within each port bulk, the ports/ | |||
identifiers may be randomly distributed or in consecutive fashion. | identifiers may be randomly distributed or in consecutive fashion. | |||
When a CGN device allocates bulk of TCP/UDP ports and ICMP | When a CGN device allocates bulk of TCP/UDP ports and ICMP | |||
identifiers, the information can be easily conveyed to the RADIUS | identifiers, the information can be easily conveyed to the RADIUS | |||
server by a new RADIUS attribute called the IP-Port-Range (defined in | server by a new RADIUS attribute called the IP-Port-Range (defined in | |||
Section 3.3). The CGN device may allocate one or more TCP/UDP port | Section 3.1.3). The CGN device may allocate one or more TCP/UDP port | |||
ranges or ICMP identifier ranges, or generally called IP port ranges, | ranges or ICMP identifier ranges, or generally called IP port ranges, | |||
where each range contains a set of numbers representing TCP/UDP ports | where each range contains a set of numbers representing TCP/UDP ports | |||
or ICMP identifiers, and the total number of ports/identifiers must | or ICMP identifiers, and the total number of ports/identifiers must | |||
be less or equal to the associated IP port limit imposed for that | be less or equal to the associated IP port limit imposed for that | |||
subscriber. A CGN device may choose to allocate a small port range, | subscriber. A CGN device may choose to allocate a small port range, | |||
and allocate more at a later time as needed; such practice is good | and allocate more at a later time as needed; such practice is good | |||
because its randomization in nature. | because its randomization in nature. | |||
At the same time, the CGN device also needs to decide the shared IPv4 | At the same time, the CGN device also needs to decide the shared IPv4 | |||
address for that subscriber. The shared IPv4 address and the pre- | address for that subscriber. The shared IPv4 address and the pre- | |||
skipping to change at page 15, line 43 | skipping to change at page 25, line 11 | |||
pre-allocated IP port range for that subscriber to replace the | pre-allocated IP port range for that subscriber to replace the | |||
original source TCP/UDP port or ICMP identifier, along with the | original source TCP/UDP port or ICMP identifier, along with the | |||
replacement of the source IP address by the shared IPv4 address. | replacement of the source IP address by the shared IPv4 address. | |||
A CGN device may decide to "free" a previously assigned set of TCP/ | A CGN device may decide to "free" a previously assigned set of TCP/ | |||
UDP ports or ICMP identifiers that have been allocated for a specific | UDP ports or ICMP identifiers that have been allocated for a specific | |||
subscriber but not currently in use, and with that, the CGN device | subscriber but not currently in use, and with that, the CGN device | |||
must send the information of the de-allocated IP port range along | must send the information of the de-allocated IP port range along | |||
with the shared IPv4 address to the RADIUS server. | with the shared IPv4 address to the RADIUS server. | |||
Figure 3 illustrates how RADIUS protocol is used to report a set of | Figure 16 illustrates how RADIUS protocol is used to report a set of | |||
ports allocated and de-allocated, respectively, by a NAT44 device for | ports allocated and de-allocated, respectively, by a NAT44 device for | |||
a specific user to the RADIUS server. | a specific user to the RADIUS server. | |||
Host NAT44/NAS AAA | Host NAT44/NAS AAA | |||
| BNG Server | | BNG Server | |||
| | | | | | | | |||
| | | | | | | | |||
|----Service Request------>| | | |----Service Request------>| | | |||
| | | | | | | | |||
| |-----Access-Request -------->| | | |-----Access-Request -------->| | |||
skipping to change at page 16, line 35 | skipping to change at page 25, line 45 | |||
... ... ... | ... ... ... | |||
| | | | | | | | |||
| (NAT44 decides to de-allocate | | | (NAT44 decides to de-allocate | | |||
| a TCP/UDP port range for the user) | | | a TCP/UDP port range for the user) | | |||
| | | | | | | | |||
| |-----Accounting-Request----->| | | |-----Accounting-Request----->| | |||
| | (IP-Port-Range | | | | (IP-Port-Range | | |||
| | for de-allocation) | | | | for de-allocation) | | |||
| | | | | | | | |||
Figure 3: RADIUS Message Flow for reporting NAT44 allocation/de- | Figure 16: RADIUS Message Flow for reporting NAT44 allocation/de- | |||
allocation of a port set | allocation of a port set | |||
4.1.3. Configure Forwarding Port Mapping | 4.1.3. Configure Forwarding Port Mapping | |||
In most scenarios, the port mapping on a NAT device is dynamically | In most scenarios, the port mapping on a NAT device is dynamically | |||
created when the IP packets of an IP connection initiated by a user | created when the IP packets of an IP connection initiated by a user | |||
arrives. For some applications, the port mapping needs to be pre- | arrives. For some applications, the port mapping needs to be pre- | |||
defined allowing IP packets of applications from outside a CGN device | defined allowing IP packets of applications from outside a CGN device | |||
to pass through and "port forwarded" to the correct user located | to pass through and "port forwarded" to the correct user located | |||
behind the CGN device. | behind the CGN device. | |||
skipping to change at page 17, line 12 | skipping to change at page 26, line 22 | |||
creating or deleting a mapping along with a rich set of features on a | creating or deleting a mapping along with a rich set of features on a | |||
CGN device in dynamic fashion. In some deployment, all users need is | CGN device in dynamic fashion. In some deployment, all users need is | |||
a few, typically just one pre-configured port mapping for | a few, typically just one pre-configured port mapping for | |||
applications such as web cam at home, and the lifetime of such a port | applications such as web cam at home, and the lifetime of such a port | |||
mapping remains valid throughout the duration of the customer's | mapping remains valid throughout the duration of the customer's | |||
Internet service connection time. In such an environment, it is | Internet service connection time. In such an environment, it is | |||
possible to statically configure a port mapping on the RADIUS server | possible to statically configure a port mapping on the RADIUS server | |||
for a user and let the RADIUS protocol to propagate the information | for a user and let the RADIUS protocol to propagate the information | |||
to the associated CGN device. | to the associated CGN device. | |||
Figure 4 illustrates how RADIUS protocol is used to configure a | Figure 17 illustrates how RADIUS protocol is used to configure a | |||
forwarding port mapping on a NAT44 device by using RADIUS protocol. | forwarding port mapping on a NAT44 device by using RADIUS protocol. | |||
Host NAT/NAS AAA | Host NAT/NAS AAA | |||
| BNG Server | | BNG Server | |||
| | | | | | | | |||
|----Service Request------>| | | |----Service Request------>| | | |||
| | | | | | | | |||
| |---------Access-Request------->| | | |---------Access-Request------->| | |||
| | | | | | | | |||
| |<--------Access-Accept---------| | | |<--------Access-Accept---------| | |||
skipping to change at page 17, line 37 | skipping to change at page 26, line 47 | |||
| (Create a port mapping | | | (Create a port mapping | | |||
| for the user, and | | | for the user, and | | |||
| associate it with the | | | associate it with the | | |||
| internal IP address | | | internal IP address | | |||
| and external IP address) | | | and external IP address) | | |||
| | | | | | | | |||
| | | | | | | | |||
| |------Accounting-Request------>| | | |------Accounting-Request------>| | |||
| | (IP-Port-Forwarding-Map) | | | | (IP-Port-Forwarding-Map) | | |||
Figure 4: RADIUS Message Flow for configuring a forwarding port | Figure 17: RADIUS Message Flow for configuring a forwarding port | |||
mapping | mapping | |||
A port forwarding mapping that is created on a CGN device using | A port forwarding mapping that is created on a CGN device using | |||
RADIUS extension as described above may also be changed using RADIUS | RADIUS extension as described above may also be changed using RADIUS | |||
CoA message [RFC5176] that carries the same RADIUS associate. The | CoA message [RFC5176] that carries the same RADIUS associate. The | |||
CoA message may be sent from the RADIUS server directly to the NAS, | CoA message may be sent from the RADIUS server directly to the NAS, | |||
which once accepts and sends back a RADIUS CoA ACK message, the new | which once accepts and sends back a RADIUS CoA ACK message, the new | |||
port forwarding mapping then replaces the previous one. | port forwarding mapping then replaces the previous one. | |||
Figure 5 illustrates how RADIUS protocol is used to change an | Figure 18 illustrates how RADIUS protocol is used to change an | |||
existing port mapping from (a:X) to (a:Y), where "a" is an internal | existing port mapping from (a:X) to (a:Y), where "a" is an internal | |||
port, and "X" and "Y" are external ports, respectively, for a | port, and "X" and "Y" are external ports, respectively, for a | |||
specific user with a specific IP address | specific user with a specific IP address | |||
Host NAT/NAS AAA | Host NAT/NAS AAA | |||
| BNG Server | | BNG Server | |||
| | | | | | | | |||
| Internal IP Address | | | Internal IP Address | | |||
| Port Map (a:X) | | | Port Map (a:X) | | |||
| | | | | | | | |||
| |<---------CoA Request----------| | | |<---------CoA Request----------| | |||
| | (IP-Port-Forwarding-Map) | | | | (IP-Port-Forwarding-Map) | | |||
| | | | | | | | |||
| Internal IP Address | | | Internal IP Address | | |||
skipping to change at page 18, line 19 | skipping to change at page 27, line 29 | |||
| | | | | | | | |||
| |<---------CoA Request----------| | | |<---------CoA Request----------| | |||
| | (IP-Port-Forwarding-Map) | | | | (IP-Port-Forwarding-Map) | | |||
| | | | | | | | |||
| Internal IP Address | | | Internal IP Address | | |||
| Port Map (a:Y) | | | Port Map (a:Y) | | |||
| | | | | | | | |||
| |---------CoA Response--------->| | | |---------CoA Response--------->| | |||
| | (IP-Port-Forwarding-Map) | | | | (IP-Port-Forwarding-Map) | | |||
Figure 5: RADIUS Message Flow for changing a user's forwarding port | Figure 18: RADIUS Message Flow for changing a user's forwarding port | |||
mapping | mapping | |||
4.1.4. An Example | 4.1.4. An Example | |||
An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the | An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the | |||
subscriber Joe. This number is the limit that can be used for TCP/UDP | subscriber Joe. This number is the limit that can be used for TCP/UDP | |||
ports on a NAT44 device for Joe, and is configured on a RADIUS | ports on a NAT44 device for Joe, and is configured on a RADIUS | |||
server. Also, Joe asks for a pre-defined port forwarding mapping on | server. Also, Joe asks for a pre-defined port forwarding mapping on | |||
the NAT44 device for his web cam applications (external port 5000 | the NAT44 device for his web cam applications (external port 5000 | |||
maps to internal port 80). | maps to internal port 80). | |||
skipping to change at page 19, line 34 | skipping to change at page 28, line 44 | |||
applications can communicate with his web cam at home from external | applications can communicate with his web cam at home from external | |||
realm directly traversing the pre-configured mapping on the CGN | realm directly traversing the pre-configured mapping on the CGN | |||
device. | device. | |||
When Joe disconnects from his Internet service, the CGN device will | When Joe disconnects from his Internet service, the CGN device will | |||
de-allocate all TCP/UDP ports as well as the port-forwarding mapping, | de-allocate all TCP/UDP ports as well as the port-forwarding mapping, | |||
and send the relevant information to the RADIUS server. | and send the relevant information to the RADIUS server. | |||
4.2. Report Assigned Port Set for a Visiting UE | 4.2. Report Assigned Port Set for a Visiting UE | |||
Figure 6 illustrates an example of the flow exchange which occurs | Figure 19 illustrates an example of the flow exchange which occurs | |||
when a visiting UE connects to a CPE offering Wi-Fi service. | when a visiting UE connects to a CPE offering WLAN service. | |||
For identification purposes (see [RFC6967]), once the CPE assigns a | For identification purposes (see [RFC6967]), once the CPE assigns a | |||
port set, it issues a RADIUS message to report the assigned port set. | port set, it issues a RADIUS message to report the assigned port set. | |||
UE CPE NAS AAA | UE CPE NAS AAA | |||
| BNG Server | | BNG Server | |||
| | | | | | | | |||
| | | | | | | | |||
|----Service Request------>| | | |----Service Request------>| | | |||
| | | | | | | | |||
skipping to change at page 20, line 36 | skipping to change at page 29, line 36 | |||
| | | | | | | | | | |||
| | | | | | | | | | |||
| (CPE withdraws a TCP/UDP port | | | (CPE withdraws a TCP/UDP port | | |||
| range for a visiting UE) | | | range for a visiting UE) | | |||
| | | | | | | | |||
| |--Accounting-Request-...------------------->| | | |--Accounting-Request-...------------------->| | |||
| | (IP-Port-Range | | | | (IP-Port-Range | | |||
| | for de-allocation) | | | | for de-allocation) | | |||
| | | | | | | | |||
Figure 6: RADIUS Message Flow for reporting CPE allocation/de- | Figure 19: RADIUS Message Flow for reporting CPE allocation/de- | |||
allocation of a port set to a visiting UE | allocation of a port set to a visiting UE | |||
5. Table of Attributes | 5. Table of Attributes | |||
This document proposes three new RADIUS attributes and their formats | This document proposes three new RADIUS attributes and their formats | |||
are as follows: | are as follows: | |||
o IP-Port-Limit: TBA1.{TBA1-1 .. TBA1-5}.TBA2 | o IP-Port-Limit: TBA1.TBA2.{TBA2-1..TBA2-5}.[TBA3, {TBA4}] | |||
o IP-Port-Range: TBA1.{TBA1-1 .. TBA1-5}.{TBA3 .. TBA4} | o IP-Port-Range: TBA1.TBA2.{TBA2-1..TBA2-5}.[TBA8, TBA9, TBA10, | |||
{TBA4}, {TBA11}]. | ||||
o IP-Port-Forwarding-Map: TBA.1{TBA1-1 .. TBA1-5}.TBA5 | o IP-Port-Forwarding-Map: TBA1.TBA2.{TBA2-1 .. TBA2-5}.[TBA6, TBA7, | |||
TBA5, {TBA4}] | ||||
The following table provides a guide as what type of RADIUS packets | The following table provides a guide as what type of RADIUS packets | |||
that may contain these attributes, and in what quantity. | that may contain these attributes, and in what quantity. | |||
Request Accept Reject Challenge Acct. # Attribute | Request Accept Reject Challenge Acct. # Attribute | |||
Request | Request | |||
0-1 0-1 0 0 0-1 TBA IP-Port-Limit | 0+ 0+ 0 0 0+ TBA IP-Port-Limit | |||
0 0 0 0 0-1 TBA IP-Port-Range | 0 0 0 0 0+ TBA IP-Port-Range | |||
0-1 0-1 0 0 0-1 TBA IP-Port-Forwarding-Map | 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map | |||
The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
0+ Zero or more instances of this attribute MAY be present in | 0+ Zero or more instances of this attribute MAY be present in packet. | |||
packet. | ||||
0-1 Zero or one instance of this attribute MAY be present in packet. | ||||
6. Security Considerations | 6. Security Considerations | |||
This document does not introduce any security issue than what has | This document does not introduce any security issue than what has | |||
been identified in [RFC2865]. | been identified in [RFC2865]. | |||
7. IANA Considerations | 7. IANA Considerations | |||
This document requires new code point assignment for the new RADIUS | This document requires new code point assignments for the new RADIUS | |||
attributes as follows: | attributes as follows: | |||
o TBA1 (refer to Section 3.1): This value is for the Radius Type | o TBA1 (refer to Section 3.1.1): This value is for the Radius Type | |||
field and should be allocated from the number space of Extended- | field and should be allocated from the number space of Extended- | |||
Type-1 (241), Extended-Type-2 (242), Extended-Type-3 (243), or | Type-1 (241), Extended-Type-2 (242), Extended-Type-3 (243), or | |||
Extended-Type-4 (244) per [RFC6929]. | Extended-Type-4 (244) per [RFC6929]. | |||
o TBA1-1, TBA1-2, TBA1-3, TBA1-4, and TBA1-5 (refer to Section 3.1): | o TBA2 (refer to Section 3.1.1): This value is for the Extended-Type | |||
These values are for the Radius Extended Type field that are | field and should be allocated from the Short Extended Space per | |||
associated with TBA1. | [RFC6929]. | |||
o TBA2 (refer to Section 3.2): This value is for the TLV field and | o TBA2-1, TBA2-2, TBA2-3, TBA2-4, and TBA2-5 (refer to | |||
specifies the limit of the IP port imposed to a user. | Section 3.1.1): These values are for the Type field of IP-Port- | |||
Type TLV that is within the TBA2 container, and they should be | ||||
allocated as TLV data type and effectively extend the attribute | ||||
tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, TBA2-4, TBA2-5}. | ||||
o TBA3 (refer to Section 3.3): This value is for the TLV field and | o TBA3 (refer to Section 3.1.2): This value is for the type field of | |||
specifies the allocation action of IP ports by a port device | IP-Port-Limit TLV. It should be allocated as TLV data type and it | |||
(e.g., a CGN) for a user. | extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, | |||
TBA2-4, TBA2-5}.TBA3. | ||||
o TBA4 (refer to Section 3.3): This value is for the TLV field and | o TBA4 (refer to Section 3.2.2): This value is for the Type field of | |||
specifies the de-allocation action of IP ports by a port device | IP-Port-Ext-IPv4-Addr TLV. It should be allocated as TLV data | |||
(e.g., a CGN) for a user. | type and it extends the attribute tree as TBA1.TBA2.{TBA2-1, | |||
TBA2-2, TBA2-3, TBA2-4, TBA2-5}.[TBA4...]. | ||||
o TBA5(refer to Section 3.4): This value is for the TLV field and | o TBA5 (refer to Section 3.2.3): This value is for the Type field of | |||
specifies the mapping action on IP port by a port device (e.g., a | IP-Port-Int-IP-Addr TLV. It should be allocated as TLV data type | |||
CGN) for a user. | and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, | |||
TBA2-3, TBA2-4, TBA2-5}.[TBA5...]. | ||||
o TBA6 (refer to Section 3.2.4): This value is for the Type field of | ||||
IP-Port-Int-Port TLV. It should be allocated as TLV data type and | ||||
it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, | ||||
TBA2-3, TBA2-4, TBA2-5}.[TBA6...]. | ||||
o TBA7 (refer to Section 3.2.5): This value is for the Type field of | ||||
IP-Port-Ext-port TLV. It should be allocated as TLV data type and | ||||
it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, | ||||
TBA2-3, TBA2-4, TBA2-5}.[TBA7...]. | ||||
o TBA8 (refer to Section 3.2.6): This value is for the Type field of | ||||
IP-Port-Alloc TLV. It should be allocated as TLV data type and it | ||||
extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, | ||||
TBA2-4, TBA2-5}.[TBA8...]. | ||||
o TBA9 (refer to Section 3.2.7): This value is for the Type field of | ||||
IP-Port-Range-Start TLV. It should be allocated as TLV data type | ||||
and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, | ||||
TBA2-3, TBA2-4, TBA2-5}.[TBA9..]. | ||||
o TBA10 (refer to Section 3.2.8): This value is for the Type field | ||||
of IP-Port-Range-End TLV. It should be allocated as TLV data type | ||||
and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, | ||||
TBA2-3, TBA2-4, TBA2-5}.[TBA10..]. | ||||
o TBA11 (refer to Section 3.2.9): This value is for the Type field | ||||
of IP-Port-Local-Id TLV. It should be allocated as TLV data type | ||||
and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, | ||||
TBA2-3, TBA2-4, TBA2-5}.[TBA11..]. | ||||
8. Acknowledgements | 8. Acknowledgements | |||
Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David | Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David | |||
Thaler, Alan Dekok, and Lionel Morand for their useful comments and | Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful | |||
suggestions. | comments and suggestions. | |||
9. References | 9. References | |||
9.1. Normative References | 9.1. Normative References | |||
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | |||
E. Lear, "Address Allocation for Private Internets", BCP | E. Lear, "Address Allocation for Private Internets", BCP | |||
5, RFC 1918, February 1996. | 5, RFC 1918, February 1996. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
skipping to change at page 22, line 49 | skipping to change at page 32, line 35 | |||
[I-D.gundavelli-v6ops-community-wifi-svcs] | [I-D.gundavelli-v6ops-community-wifi-svcs] | |||
Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, | Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, | |||
"Service Provider Wi-Fi Services Over Residential | "Service Provider Wi-Fi Services Over Residential | |||
Architectures", draft-gundavelli-v6ops-community-wifi- | Architectures", draft-gundavelli-v6ops-community-wifi- | |||
svcs-06 (work in progress), April 2013. | svcs-06 (work in progress), April 2013. | |||
[I-D.ietf-softwire-lw4over6] | [I-D.ietf-softwire-lw4over6] | |||
Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and | Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and | |||
I. Farrer, "Lightweight 4over6: An Extension to the DS- | I. Farrer, "Lightweight 4over6: An Extension to the DS- | |||
Lite Architecture", draft-ietf-softwire-lw4over6-08 (work | Lite Architecture", draft-ietf-softwire-lw4over6-10 (work | |||
in progress), March 2014. | in progress), June 2014. | |||
[I-D.miles-behave-l2nat] | [I-D.miles-behave-l2nat] | |||
Miles, D. and M. Townsley, "Layer2-Aware NAT", draft- | Miles, D. and M. Townsley, "Layer2-Aware NAT", draft- | |||
miles-behave-l2nat-00 (work in progress), March 2009. | miles-behave-l2nat-00 (work in progress), March 2009. | |||
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network | [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network | |||
Address Translator (Traditional NAT)", RFC 3022, January | Address Translator (Traditional NAT)", RFC 3022, January | |||
2001. | 2001. | |||
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful | [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful | |||
End of changes. 151 change blocks. | ||||
321 lines changed or deleted | 781 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |