draft-ietf-radext-ip-port-radius-ext-00.txt   draft-ietf-radext-ip-port-radius-ext-01.txt 
Network Working Group D. Cheng Network Working Group D. Cheng
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Korhonen Intended status: Standards Track J. Korhonen
Expires: November 11, 2014 Broadcom Expires: December 14, 2014 Broadcom
M. Boucadair M. Boucadair
France Telecom France Telecom
S. Sivakumar S. Sivakumar
Cisco Systems Cisco Systems
May 10, 2014 June 12, 2014
RADIUS Extensions for IP Port Configuration and Reporting RADIUS Extensions for IP Port Configuration and Reporting
draft-ietf-radext-ip-port-radius-ext-00 draft-ietf-radext-ip-port-radius-ext-01
Abstract Abstract
This document defines three new RADIUS attributes. For device that This document defines three new RADIUS attributes. For devices that
implementing IP port ranges, these attributes are used to communicate implementing IP port ranges, these attributes are used to communicate
with a RADIUS server in order to configure and report TCP/UDP ports with a RADIUS server in order to configure and report TCP/UDP ports
and ICMP identifiers, as well as mapping behavior for specific hosts. and ICMP identifiers, as well as mapping behavior for specific hosts.
This mechanism can be used in various deployment scenarios such as This mechanism can be used in various deployment scenarios such as
CGN, NAT64, Provider WiFi Gateway, etc. CGN (Carrier Grade NAT), NAT64, Provider WLAN Gateway, etc.
This document does not make any assumption about the deployment This document does not make any assumption about the deployment
context. context.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 11, 2014. This Internet-Draft will expire on December 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . 5 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5
3.1. Extended-Type for IP-Port-Type . . . . . . . . . . . . . 5 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6
3.2. IP-Port-Limit Attribute . . . . . . . . . . . . . . . . . 7 3.1.1. Extended-Type and IP-Port-Type TLV . . . . . . . . . 6
3.3. IP-Port-Range Attribute . . . . . . . . . . . . . . . . . 8 3.1.2. IP-Port-Limit Attribute . . . . . . . . . . . . . . . 7
3.4. IP-Port-Forwarding-Map Attribute . . . . . . . . . . . . 10 3.1.3. IP-Port-Range Attribute . . . . . . . . . . . . . . . 9
4. Applications, Use Cases and Examples . . . . . . . . . . . . 12 3.1.4. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 12
4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 12 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 14
4.1.1. Configure IP Port Limit for a User . . . . . . . . . 13 3.2.1. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 14
4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 15 3.2.2. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15
4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 16 3.2.3. IP-Port-Int-IP-Addr TLV . . . . . . . . . . . . . . . 16
4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 18 3.2.4. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 17
4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 19 3.2.5. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 17
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 20 3.2.6. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 18
6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 3.2.7. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 19
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 3.2.8. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 20
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 3.2.9. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 20
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 4. Applications, Use Cases and Examples . . . . . . . . . . . . 21
9.1. Normative References . . . . . . . . . . . . . . . . . . 22 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 21
9.2. Informative References . . . . . . . . . . . . . . . . . 22 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 4.1.2. Report IP Port Allocation/De-allocation . . . . . . . 24
4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 25
4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 27
4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 28
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 29
6. Security Considerations . . . . . . . . . . . . . . . . . . . 30
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.1. Normative References . . . . . . . . . . . . . . . . . . 31
9.2. Informative References . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
In a broadband network, customer information is usually stored on a In a broadband network, customer information is usually stored on a
RADIUS server [RFC2865] and at the time when a user initiates an IP RADIUS server [RFC2865] and at the time when a user initiates an IP
connection request, the RADIUS server will populate the user's connection request, the RADIUS server will populate the user's
configuration information to the Network Access Server (NAS), which configuration information to the Network Access Server (NAS), which
is usually co-located with the Border Network Gateway (BNG), after is usually co-located with the Border Network Gateway (BNG), after
the connection request is granted. The Carrier Grade NAT (CGN) the connection request is granted. The Carrier Grade NAT (CGN)
function may also be implemented on the BNG, and therefore CGN TCP/ function may also be implemented on the BNG, and therefore CGN TCP/
skipping to change at page 3, line 16 skipping to change at page 3, line 27
the RADIUS server as part of the user profile, and populated to the the RADIUS server as part of the user profile, and populated to the
NAS in the same manner. In addition, during the operation, the CGN NAS in the same manner. In addition, during the operation, the CGN
can also convey port/identifier mapping behavior specific to a user can also convey port/identifier mapping behavior specific to a user
to the RADIUS server, as part of the normal RADIUS accounting to the RADIUS server, as part of the normal RADIUS accounting
process. process.
The CGN device that communicates with a RADIUS server using RADIUS The CGN device that communicates with a RADIUS server using RADIUS
extensions defined in this document may perform NAT44 [RFC3022], extensions defined in this document may perform NAT44 [RFC3022],
NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function. NAT64 [RFC6146], or Dual-Stack Lite AFTR [RFC6333] function.
For the CGN example, when IP packets traverse a CGN, it would perform For the CGN case, when IP packets traverse a CGN device, it would
TCP/UDP source port mapping or ICMP identifier mapping as required. perform TCP/UDP source port mapping or ICMP identifier mapping as
A TCP/ UDP source port or ICMP identifier, along with source IP required. A TCP/ UDP source port or ICMP identifier, along with
address, destination IP address, destination port and protocol source IP address, destination IP address, destination port and
identifier if applicable, uniquely identify a session. Since the protocol identifier if applicable, uniquely identify a session.
number space of TCP/UDP ports and ICMP identifiers in CGN's external Since the number space of TCP/UDP ports and ICMP identifiers in CGN's
realm is shared among multiple users assigned with the same IPv4 external realm is shared among multiple users assigned with the same
address, the total number of a user's simultaneous IP sessions is IPv4 address, the total number of a user's simultaneous IP sessions
likely to subject to port quota. is likely to be subject to port quota (see Section 5 of [RFC6269]).
The attributes defined in this document may also be used to report The attributes defined in this document may also be used to report
the assigned port set in some deployment such as Provider Wi-Fi the assigned port range in some deployments such as Provider WLAN
[I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting
host can be managed by a CPE which will need to report the assigned host can be managed by a CPE (Customer Premises Equipment ) which
port set to the service platform. This is required for will need to report the assigned port range to the service platform.
identification purposes (see WT-146 for example). This is required for identification purposes (see WT-146 for
example).
This document proposes three new attributes as RADIUS protocol's This document proposes three new attributes as RADIUS protocol's
extensions, and they are used for separate purposes as follows: extensions, and they are used for separate purposes as follows:
o IP-Port-Limit:This attribute may be carried in RDIUS Acces-Accept, 1. IP-Port-Limit: This attribute may be carried in RADIUS Acces-
Accounting-Request or CoA-Request packet. The purpose of this Accept, Access-Request, Accounting-Request or CoA-Request packet.
attribute is to limit the total number of TCP/UDP ports and/or The purpose of this attribute is to limit the total number of
ICMP identifiers that an IP subscriber can use.. TCP/UDP ports and/or ICMP identifiers that an IP subscriber can
use, associated with an IPv4 address.
o IP-Port-Range:This attribute may be carried in RADIUS Access- 2. IP-Port-Range: This attribute may be carried in RADIUS
Accept, Accounting-Request or CoA-Request packet. The purpose of Accounting-Request packet. The purpose of this attribute is to
this attribute is to specify the range of TCP/UDP ports and/or report by an address sharing device (e.g., a CGN) to the RADIUS
ICMP identifiers that an IP subscriber can use associated with an server the range of TCP/UDP ports and/or ICMP identifiers that
IPv4 address. have been allocated or deallocated associated with a given IPv4
address for a subscriber.
o IP-Port-Forwarding-Map:This attribute may be carried in RADIUS 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS
Access-Accept, Accounting-Request or CoA-Request packet. The Access-Accept, Access-Request, Accounting-Request or CoA-Request
purpose of this this attribute is to specify how a TCP/UDP port packet. The purpose of this attribute is to specify how a TCP/
(or an ICMP identifier) mapping to another TCP/UDP port (or an UDP port (or an ICMP identifier) mapping to another TCP/UDP port
ICMP identifier). (or an ICMP identifier), and each is associated with its
respective IPv4 address.
This document was constructed using the [RFC2629] . This document was constructed using the [RFC2629] .
2. Terminology 2. Terminology
Some terms that are used in this document are listed as follows: This document makes use if the following terms:
o IP Port - This term refers to IP transport protocol port, o IP Port: refers to the port numbers of IP transport protocols,
including TCP port, UDP port and ICMP identifier. including TCP port, UDP port and ICMP identifier.
o IP Port Limit - This is the maximum number of TCP ports, or UDP o IP Port Type: refers to one of the following: (1)TCP/UDP port and
ports, or the total of the two, or ICMP identifiers, or the total ICMP identifier, (2)TCP port and UDP port, (3) TCP port, (4) UDP
of the three, that a device supporting port ranges can use when port, or (5)ICMP identifier.
performing mapping on TCP/ UDP ports or ICMP identifiers for a
specific user.
o IP Port Range - This specifies a set of TCP/UDP port numbers or o IP Port Limit: denotes the maximum number of IP ports for a
ICMP identifiers, indicated by the port/identifier with the specific port type, that a device supporting port ranges can use
smallest numerical number and the port/identifier with the largest when performing port number mapping for a specific user.
numerical number, inclusively.
o Internal IP Address - The IP address that is used as a source IP o IP Port Range: specifies a set of contiguous IP ports, indicated
address in an outbound IP packet sent toward a device supporting by the smallest numerical number and the largest numerical number,
port ranges in the internal realm. In IPv4 case, it is typically inclusively.
a private address [RFC1918].
o External IP Address - The IP address that is used as a source IP o Internal IP Address: refers to the IP address that is used as a
address in an outbound IP packet after traversing a device source IP address in an outbound IP packet sent towards a device
supporting port ranges in the external realm. In IPv4 case, it is supporting port ranges in the internal realm. In the IPv4 case,
typically a global and routable IP address. it is typically a private address [RFC1918].
o Internal Port - The internal port is a UDP or TCP port, or an ICMP o External IP Address: refers to the IP address that is used as a
identifier, which is allocated by a host or application behind a source IP address in an outbound IP packet after traversing a
device supporting port ranges for an outbound IP packet in the device supporting port ranges in the external realm. In the IPv4
internal realm. case, it is typically a global routable IP address.
o External Port - The external port is a UDP or TCP port, or an ICMP o Internal Port: is a UDP or TCP port, or an ICMP identifier, which
identifier, which is allocated by a device supporting port ranges is allocated by a host or application behind a device supporting
upon receiving an outbound IP packet in the internal realm, and is port ranges for an outbound IP packet in the internal realm.
used to replace the internal port that is allocated by a user or
application.
o External realm - The networking segment where IPv4 public o External Port: is a UDP or TCP port, or an ICMP identifier, which
is allocated by a device supporting port ranges upon receiving an
outbound IP packet in the internal realm, and is used to replace
the internal port that is allocated by a user or application.
o External realm: refers to the networking segment where IPv4 public
addresses are used in respective of the device supporting port addresses are used in respective of the device supporting port
ranges. ranges.
o Internal realm - The networking segment that is behind a device o Internal realm: refers to the networking segment that is behind a
supporting port ranges and where IPv4 private addresses are used. device supporting port ranges and where IPv4 private addresses are
used.
o Mapping - This term in this document associates with a device o Mapping: associates with a device supporting port ranges for a
supporting port ranges for a relationship between an internal IP relationship between an internal IP address, internal port and the
address, internal port and the protocol, and an external IP protocol, and an external IP address, external port, and the
address, external port, and the protocol. protocol.
o Port-based device - A device that is capable of providing IP o Port-based device: a device that is capable of providing IP
address and TCP/UDP port mapping services and in particular, with address and IP port mapping services and in particular, with the
the granularity of one or more subsets within the 16-bit TCP/UDP granularity of one or more subsets within the 16-bit IP port
port number range. A typical example of this device can be a CGN, number range. A typical example of this device is a CGN, CPE,
CPE, Provider Wi-Fi Gateway, etc. Provider WLAN Gateway, etc.
Note the terms "internal IP address", "internal port", "internal Note the terms "internal IP address", "internal port", "internal
realm", "external IP address", "external port", "external realm", and realm", "external IP address", "external port", "external realm", and
"mapping" and their semantics are the same as in [RFC6887], and "mapping" and their semantics are the same as in [RFC6887], and
[RFC6888]. [RFC6888].
3. RADIUS Attributes 3. Extensions of RADIUS Attributes and TLVs
[Discussion: Should we define a dedicated attribute
(port_set_policies) to configure the following policies: (1)
enforce port randomization, (2) include/exclude the WKP in the
port assignment, (3) preserve parity, (4) quota for explicit port
mapping, (5) DSCP marking policy, (6) Port hold down timer, (7)
port hold down pool, etc. Perhaps we don't need to cover all
these parameters. - The discussion should be in a separate draft
allowing this draft dedicated to RADIUS extension only.]
In this section, we define the details of the following three new These three new attributes are defined in the following sub-sections:
attributes:
o IP-Port-Limit Attribute 1. IP-Port-Limit Attribute
o IP-Port-Range Attribute 2. IP-Port-Range Attribute
o IP-Port-Forwarding-Map Attribute 3. IP-Port-Forwarding-Map Attribute
All these attributes are allocated from the RADIUS "Extended Type" All these attributes are allocated from the RADIUS "Extended Type"
code space per [RFC6929]. code space per [RFC6929].
3.1. Extended-Type for IP-Port-Type 3.1. Extended Attributes for IP Ports
This section defines a new Extended-Type for IP port type. The IP 3.1.1. Extended-Type and IP-Port-Type TLV
port type may be one of the following:
o Refer to TCP port, UDP port, and ICMP identifier This section defines a new Extended-Type and an IP-Port-Type TLV (see
Figure 1).
o Refer to TCP port and UDP port The IP port type may be one of the following:
o Refer to TCP port
o Refer to UDP port o TCP port, UDP port, and ICMP identifier
o Refer to ICMP identifier o TCP port and UDP port
0 1 2 3 o TCP port
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ o UDP port
| Type | Length | Extended-Type | Value.....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+++ o ICMP identifier
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Extended-Type | TLV1-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV1-Length | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1
Type: Type:
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended-
Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. Type-3 (243), or Extended-Type-4 (244) per [RFC6929].
Length: Length:
This field indicates the total length in octets of all fields this This field indicates the total length in bytes of all fields this
attribute, including the Type, Length, Extended-Type, and Value. attribute, including the Type, Length, Extended-Type, and the
embedded TLVs.
Extended-Type: Extended-Type:
This one octet field indicates the IP port as follows: TBA2.
TBA1-1: TLV1-Type:
Type field of IP-Port-Type TLV. This one byte field indicates the
IP port type as follows:
TBA2-1:
Refer to TCP port, UDP port, and ICMP identifier as a whole. Refer to TCP port, UDP port, and ICMP identifier as a whole.
TBA1-2: TBA2-2:
Refer to TCP port and UDP port as a whole. Refer to TCP port and UDP port as a whole.
TBA1-3: TBA2-3:
Refer to TCP port only. Refer to TCP port only.
TBA1-4: TBA2-4:
Refer to UDP port only. Refer to UDP port only.
TBA1-5: TBA2-5:
Refer to ICMP identifier only. Refer to ICMP identifier only.
TLV1-Length:
Length field of IP-Port-Type TLV. This field indicates the total
length in bytes of the TLV1, including the field of TLV1-Type,
TLV1-Length, and the Value.
Value: Value:
This field contains one or more octects, and the data format MUST Value field of IP-Port-Type TLV. This field contains one or more
be a valid RADIUS data type. TLVs, refer to Section 3.1.2, Section 3.1.3, Section 3.1.4 for
details.
The interpretation of this field is determined by the identifier The interpretation of this field is determined by the identifier
of "TBA1.{TBA1-1..TBA1-5} along with the embedded TLV. of "TBA1.TBA2.{TBA2-1..TBA2-5} along with the embedded TLVs.
3.2. IP-Port-Limit Attribute 3.1.2. IP-Port-Limit Attribute
This attribute contains an Extended-Type along with a TLV data type This attribute contains the Extended-Type and IP-Port-Type TLV
with format defined in [RFC6929]. It specifies the maximum number of defined in Section 3.1.1, along with the embedded IP-Port-Limit TLV
IP ports for a user. and IP-Port-Ext-IPv4-Addr TLV, defined in Section 3.2.1 and
Section 3.2.2, respectively. It specifies the maximum number of IP
ports, as indicated in IP-Port-Limit TLV, of a specific port type,
and associated with a given IPv4 address, as indicated in IP-Port-
Ext-IPv4-Addr TLV for an end user. Note that when IP-Port-Ext-
IPv4-Addr TLV is not included as part of the IP-Port-Limit Attribute,
the port limit is applied to all the IPv4 addresses managed by the
port device, e.g., a CGN or NAT64 device.
The IP-Port-Limit MAY appear in an Access-Accept packet, it MAY also The IP-Port-Limit Attribute MAY appear in an Access-Accept packet.
appear in an Access-Request packet as a hint by the device supporting It MAY also appear in an Access-Request packet as a hint by the
port ranges, which is co-allocated with the NAS, to the RADIUS server device supporting port ranges, which is co-allocated with the NAS, to
as a preference, although the server is not required to honor such a the RADIUS server as a preference, although the server is not
hint. required to honor such a hint.
The IP-Port-Limit MAY appear in an CoA-Request packet. The IP-Port-Limit Attribute MAY appear in a CoA-Request packet.
The IP-Port-Limit MAY appear in an Accounting-Request packet. The IP-Port-Limit Attribute MAY appear in an Accounting-Request
packet.
The IP-Port-Limit MUST NOT appear in any other RADIUS packets. The IP-Port-Limit Attribute MUST NOT appear in any other RADIUS
packets.
The format of the IP-Port-Limit RADIUS attribute format is shown The format of the IP-Port-Limit Attribute is shown in Figure 2. The
below. The fields are transmitted from left to right. fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Extended-Type | TLV-Type | | Type | Length | Extended-Type | TLV1-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Length | IP-Port-Limit | | TLV1-Length | Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2
Type: Type:
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended-
Type-3 (243), or Extended-Type-4 (244) per [RFC6929]. Type-3 (243), or Extended-Type-4 (244) per [RFC6929].
Length: Length:
This field indicates the total length in octets of all fields of This field indicates the total length in bytes of all fields of
this attribute, including the Type, Length, Extended-Type, and the this attribute, including the Type, Length, Extended-Type, and the
entire length of the embedded TLV. entire length of the embedded TLVs.
Extended-Type: Extended-Type:
This one octet field contains a value that indicates the IP port TBA2 - This one byte field contains a value that indicates the IP
type, refer to Section 3.1 for details. port type, refer to Section 3.1.1 for detail.
TLV-Type: TLV1-Type:
TBA2: for IP-Port-Limit TLV. TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1
for detail.
TLV-Length: TLV1-Length:
4. This field indicates the total length in bytes of the TLV1,
including the field of TLV1-Type, TLV1-Length, and the entire
length of the embedded TLVs.
IP-Port-Limit: Value:
This field contains the maximum number of IP ports of which, the This field contains a set of TLVs as follows:
port type is specified by the value contained in the Extended-Type
field.
Note this field is semantically associated with the identifier IP-Port-Limit TLV:
"TBA1.{TBA1-1..TBA1-5}.
3.3. IP-Port-Range Attribute This TLV contains the maximum number of IP ports of a specific
IP port type and associated with a given IPv4 address for an
end user. This TLV must be included in the IP-Port-Limit
Attribute. Refer to Section 3.2.1.
This attribute contains an Extended-Type along with a TLV data type IP-Port-Ext-IPv4-Addr TLV:
with format defined in [RFC6929]. It contains a range of numbers for
IP ports allocated by a device supporting port ranges for a given
subscriber along with an external IPv4 address.
In some CGN deployment scenarios as described such as L2NAT This TLV contains the IPv4 address that is associated with the
[I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight IP port limit contained in the IP-Port-Limit TLV. This TLV is
4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise optionally included as part of the IP-Port-Limit Attribute.
such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6 Refer to Section 3.2.2.
prefix, VRF ID, etc., may also be required to pass to the RADIUS
server as part of the accounting record.
The IP-Port-Range MAY appear in an Accounting-Request packet. IP-Port-Limit attribute is associated with the following identifier:
Type(TBA1).Extended-Type(TBA2).IP-Port-Type TLV{TBA2-1..TBA2-5}.[IP-
Port-Limit TLV(TBA3), {IP-Port-Ext-IPv4-Addr TLV (TBA4)}].
The IP-Port-Range MUST NOT appear in any other RADIUS packets. 3.1.3. IP-Port-Range Attribute
The format of the IP-Port-Range RADIUS attribute format is shown This attribute contains the Extended-Type and IP-Port-Type TLV
below. The fields are transmitted from left to right. defined in Section 3.1.1, along with a set of embedded TLVs defined
in Section 3.2.7 (IP-Port-Range-Start TLV), Section 3.2.8 (IP-Port-
Range-End TLV), Section 3.2.6 (IP-Port-Alloc TLV), Section 3.2.2 (IP-
Port-Ext-IPv4-Addr TLV), and Section 3.2.9 (IP-Port-Local-Id TLV).
It contains a range of contiguous IP ports of a specific port type
and associated with an IPv4 address that are either allocated or
deallocated by a device for a given subscriber, and the information
is intended to send to RADIUS server.
This attribute can be used to convey a single IP port number; in such
case IP-Port-Range-Start and IP-Port-Range-End conveys the same
value.
Within an IP-Port-Range Attribute, the IP-Port-Alloc TLV is always
included. For port allocation, both IP-Port-Range-Start TLV and IP-
Port-Range-End TLV must be included; for port deallocation, the
inclusion of these two TLVs is optional and if not included, it
implies that all ports that are previously allocated are now
deallocated. Both IP-Port-Ext-IPv4-Addr TLV and IP-Port-Local-Id TLV
are optional and if included, they are used by a port device (e.g., a
CGN device) to identify the end user.
The IP-Port-Range Attribute MAY appear in an Accounting-Request
packet.
The IP-Port-Range Attribute MUST NOT appear in any other RADIUS
packets.
The format of the IP-Port-Range Attribute format is shown in
Figure 3. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Extended-Type | TLV-Type | | Type | Length | Extended-Type | TLV1-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Length | Reserved | Port Range Start |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Port range End | External IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External IPv4 Address | Local Session ID ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV1-Length | Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3
Type: Type:
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended-
Type-3 (243), or Extended-Type-4 (244) per [RFC6929] Type-3 (243), or Extended-Type-4 (244) per [RFC6929]
Length: Length:
This field indicates the total length in octets of all fields of This field indicates the total length in bytes of all fields of
this attribute, including the Type, Length, Extended-Type, and the this attribute, including the Type, Length, Extended-Type, and the
entire length of the embedded TLV. entire length of the embedded TLVs.
Extended-Type: Extended-Type:
This one octet field contains a value that indicates the IP port TBA2 - This one byte field contains a value that indicates the IP
type, refer to Section 3.1 for details. port type, refer to Section 3.1.1 for detail.
TLV-Type: TLV1-Type:
TBA3: TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1
for detail.
Allocation for IP-Port-Range TLV. TLV1-Length:
TBA4: This field indicates the total length in bytes of the TLV1,
including the field of TLV1-Type, TLV1-Length, and the entire
length of the embedded TLVs.
De-allocation for IP-Port-Range TLV. Value:
TLV-Length: This field contains a set of TLVs as follows:
>=11. IP-Port-Alloc TLV:
Reserved: This TLV contains a flag to indicate that the range of the
specified IP ports for either allocation or deallocation. This
TLV must be included as part of the IP-Port-Range Attribute.
Refer to Section 3.2.6.
This field MUST be set to zero by the sender and ignored by the IP-Port-Range-Start TLV:
receiver.
Port Range Start: This TLV contains the smallest port number of a range of
contiguous IP ports. To report the port allocation, this TLV
must be included together with IP-Port-Range-End TLV as part of
the IP-Port-Range Attribute. Refer to Section 3.2.7.
This field contains the smallest IP port number, as specified in IP-Port-Range-End TLV:
the Extended-Type, in the IP port range.
Port Range End: This TLV contains the largest port number of a range of
contiguous IP ports. To report the port allocation, this TLV
must be included together with IP-Port-Range-Start TLV as part
of the IP-Port-Range Attribute. Refer to Section 3.2.8.
This field contains the largest IP port number, as specified in IP-Port-Ext-IPv4-Addr TLV:
the Extended-Type, in the IP port range.
External IPv4 Address: This TLV contains the IPv4 address that is associated with the
IP port range, as collectively indicated in the IP-Port-Range-
Start TLV and the IP-Port-Range-End TLV. This TLV is
optionally included as part of the IP-Port-Range Attribute.
Refer to Section 3.2.2.
This field contains the IPv4 address assigned to the associated IP-Port-Local-Id TLV:
subscriber to be used in the external realm. If set to 0.0.0.0,
the allocation address policy is local to the device supporting
port ranges.
Local Session ID: This TLV contains a local session identifier at the customer
premise, such as MAC address, interface ID, VLAN ID, PPP
sessions ID, VRF ID, IPv6 address/prefix, etc. This TLV is
optionally included as part of the IP-Port-Range Attribute.
Refer to Section 3.2.9.
This is an optional field and if presents, it contains a local The IP-Port-Range attribute is associated with the following
session identifier at the customer premise, such as MAC address, identifier: Type(TBA1).Extended-Type(TBA2).IP-Port-Type
interface ID, VLAN ID, PPP sessions ID, VRF ID, IPv6 address/ TLV{TBA2-1..TBA2-5}.[IP-Port-Alloc TLV(TBA8), {IP-Port-Range-Start
prefix, etc. The length of this field equals to the value in the TLV (TBA9), IP-Port-Range-End TLV (TBA10)}, {IP-Port-Ext-IPv4-Addr
TLV Length field minus 11 octets. If this field is not present, TLV (TBA4)}, {IP-Port-Local-Id TLV (TBA11)}].
the port range policies must be enforced to all subscribers using
a local subscriber identifier.
Note the data group in the "TLV Value" field above (i.e., "Port Range 3.1.4. IP-Port-Forwarding-Map Attribute
Start", "Port Range End", "External IPv4 Address", and "Local Session
ID") is indicated by the identifier
TBA1.{TBA1-1..TBA1-5}.{TBA3..TBA4}.
3.4. IP-Port-Forwarding-Map Attribute This attribute contains the Extended-Type and IP-Port-Type TLV
defined in Section 3.1.1,along with a set of embedded TLVs defined in
Section 3.2.4 (IP-Port-Int-Port TLV), Section 3.2.5 (IP-Port-Ext-Port
TLV), Section 3.2.3 (IP-Port-Int-IP-Addr TLV), Section 3.2.9(IP-Port-
Local-Id TLV) and Section 3.2.2 (IP-Port-Ext-IP-Addr TLV). The
attribute contains a 2-byte IP internal port number that is
associated with an internal IPv4 or IPv6 address, or a locally
significant identifier at the customer site, and a 2-byte IP external
port number that is associated with an external IPv4 address. The
internal IPv4 or IPv6 address, or the local identifier must be
included; the external IPv4 address may also be included.
This attribute contains an Extended-Type along with a TLV data type The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept
with format defined in [RFC6929]. It contains a 16-bit Internal Port packet. It MAY also appear in an Access-Request packet as a hint by
that identifies the source TCP/UDP port number of an IP packet sent the device supporting port mapping, which is co-allocated with the
by the user, or the destination port number of an IP packet destined NAS, to the RADIUS server as a preference, although the server is not
to the user, and in both cases, the IP packet travels behind the NAT required to honor such a hint.
device. Also it contains a 16-bit Configured External Port that
identifies the source TCP/UDP port number of an IP packet sent by the
user, or the destination port number of an IP packet destined to the
user, and in both cases, the IP packet travels outside of the NAT
device. In addition, the attribute may contain a 32-bit IPv4 address
or a 128-bit IPv6 address, respectively, as their respective NAT
mappings internal IP address. Together, the port pair and IP address
determine the port mapping rule for a specific IP flow that traverses
a NAT device.
The attribute MAY appear in an Access-Accept packet, and may also The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request
appear in an Accounting-Request packet. In either case, the packet.
attribute MUST NOT appear more than once in a single packet.
The attribute MUST NOT appear in any other RADIUS packets. The IP-Port-Forwarding-Map Attribute MAY also appear in an
Accounting-Request packet.
The format of the Port-Forwarding-Map RADIUS attribute format is The attribute MUST NOT appear in any other RADIUS packet.
shown below. The fields are transmitted from left to right.
The format of the IP-Port-Forwarding-Map Attribute is shown in
Figure 4. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Extended-Type | TLV-Type | | Type | Length | Extended-Type | TLV1-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Length | Resevered | Internal Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Configured External Port | Internal IP Address .....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV1-Length | Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: Figure 4
Type: Type:
TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended- TBA1 - Extended-Type-1 (241), Extended-Type-2 (242), Extended-
Type-3 (243), or Extended-Type-4 (244) per [RFC6929] Type-3 (243), or Extended-Type-4 (244) per [RFC6929]
Length: Length:
This field indicates the total length in octets of all fields of This field indicates the total length in bytes of all fields of
this attribute, including the Type, Length, Extended-Type, and the this attribute, including the Type, Length, Extended-Type, and the
entire length of the embedded TLV. entire length of the embedded TLVs.
Extended-Type: Extended-Type:
This one octet field contains a value that indicates the IP port This one byte field contains a value that indicates the IP port
type, refer to Section 3.1 for details. type, refer to Section 3.1.1 for details.
TLV-Type: TLV1-Type:
TBA5 - It indicates IP port mapping, and the associated internal TBA2-1, TBA2-2, TBA2-3, TBA2-4, or TBA2-5. Refer to Section 3.1.1
IP address is an IPv4 or IPv6 address, or not included. for detail.
TLV-Length: TLV1-Length:
>=7. This field indicates the total length in bytes of the TLV1,
including the field of TLV1-Type, TLV1-Length, and the entire
length of the embedded TLVs.
Reserved: Value:
This field is set to zero by the sender and ignored by the This field contains a set of TLVs as follows:
receiver.
Internal Port: IP-Port-Int-Port TLV:
This field contains the internal port for the CGN mapping. This TLV contains an internal IP port number associated with an
internal IPv4 or IPv6 address. This TLV must be included
together with IP-Port-Ext-Port TLV as part of the IP-Port-
Forwarding-Map attribute. Refer to Section 3.2.4.
Configured External Port: IP-Port-Ext-Port TLV:
This field contains the external port for the CGN mapping. This TLV contains an external IP port number associated with an
external IPv4 address. This TLV must be included together with
IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map
attribute. Refer to Section 3.2.5.
Internal IP Address: IP-Port-Int-IP-Addr TLV:
This field may or may not present, and when it does, contains the This TLV contains an IPv4 or IPv6 address that is associated
internal IPv4 or IPv6 address for the CGN mapping. Its length with the internal IP port number contained in the IP-Port-Int-
equal to the value in the TLV Length field minus 7. Port TLV. Either this TLV or IP-Port-Local-Id TLV must be
included as part of the IP-Port-Forwarding-Map Attribute.
Refer to Section 3.2.3.
Note the data group in the "TLV Value" field above (i.e., "Internal IP-Port-Local-Id TLV:
Port", "Configured External Port", and "Internal IP Address") is
indicated by the identifier TBA1.{TBA1-1..TBA1-5}.TBA5. This TLV contains a local session identifier at the customer
premise, such as MAC address, interface ID, VLAN ID, PPP
sessions ID, VRF ID, IPv6 address/prefix, etc. Either this TLV
or IP-Port-Int-IP-Addr TLV must be included as part of the IP-
Port-Forwarding-Map Attribute. Refer to Section 3.2.9.
IP-Port-Ext-IPv4-Addr TLV:
This TLV contains an IPv4 address that is associated with the
external IP port number contained in the IP-Port-Ext-Port TLV.
This TLV may be included as part of the IP-Port-Forwarding-Map
Attribute. Refer to Section 3.2.2.
The IP-Port-Forwarding-Map attribute is associated with the following
identifier: Type(TBA1).Extended-Type(TBA2).IP-Port-Type
TLV{TBA2-1..TBA2-5}.[IP-Port-Int-Port TLV(TBA6), IP-Port-Ext-Port
TLV(TBA7), {IP-Port-Int-IP-Addr TLV (TBA5)}, {IP-Port-Ext-IPv4-Addr
TLV (TBA4)}].
3.2. RADIUS TLVs for IP Ports
3.2.1. IP-Port-Limit TLV
This TLV (Figure 5) uses the format defined in [RFC6929]. Its Value
field contains a 2-byte integer called IP-Port-Limit, which indicates
the maximum number of ports of a specified IP-Port-Type and
associated with a given IPv4 address assigned to a subscriber.
IP-Port-Limit TLV is included as part of the IP-Port-Limit Attribute
(refer to Section 3.1.2).
Note that IP-Port-Limit TLV is embedded within IP-Port-Type TLV
(refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV2-Type | TLV2-Length | IP-Port-Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5
TLV2-Type:
TBA3: The type field for IP-Port-Limit TLV.
TLV2-Length:
This field indicates the total length in bytes of the TLV2,
including the field of TLV2-Type, TLV2-Length, and the Value
field, i.e., IP-Port-Limit.
IP-Port-Limit:
2-byte integer. This field contains the maximum number of IP
ports of which, the port type is specified by container IP-Port-
Type TLV.
3.2.2. IP-Port-Ext-IPv4-Addr TLV
This TLV (Figure 6) uses the format defined in[RFC6929]. Its Value
field contains a 4-byte External IPv4 address.
IP-Port-Ext-IPv4-Addr TLV can be included as part of the IP-Port-
Limit Attribute (refer to Section 3.1.2), IP-Port-Range Attribute
(refer to Section 3.1.3), and IP-Port-Forwarding-Map Attribute (refer
to Section 3.1.4).
Note that IP-Port-Ext-IPv4-Addr TLV is embedded within IP-Port-Type
TLV (refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV3-Type | TLV3-Length | IP-Port-Ext-IPv4-Addr |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP-Port-Ext-IPv4-Addr |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6
TLV3-Type:
TBA4: The type field for IP-Port-IPv4-Addr TLV.
TLV3-Length:
6. The Length field for IP-Port-IPv4-Addr TLV.
IP-Port-Ext-IPv4-Addr:
4-byte integer. This field contains the IPv4 address that is
associated with the range of IP ports.
3.2.3. IP-Port-Int-IP-Addr TLV
This TLV (Figure 7) uses format defined in [RFC6929]. Its Value
field contains an internal IPv4 or IPv6 address.
IP-Port-Int-IP-Addr TLV can be included as part of the IP-Port-
Forwarding-Map Attribute (refer to Section 3.1.4).
Note that IP-Port-Int-IP-Addr TLV is embedded within IP-Port-Type TLV
(refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV4-Type | TLV4-Length | IP-Port-Int-IP-Addr....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7
TLV4-Type:
TBA5: The type field for IP-Port-Int-IP-Addr TLV.
TLV4-Length:
6 or 18 bytes. The Length field for IP-Port-Int-IP-Addr TLV.
IP-Port-Int-IP-Addr:
4 byte integer for IPv4 address or 16 byte for IPv6 address.
3.2.4. IP-Port-Int-Port TLV
This TLV (Figure 8) uses format defined in [RFC6929]. Its Value
field contains an internal IP port number that is associated with an
internal IPv4 or IPv6 address.
IP-Port-Int-Port TLV is included as part of the IP-Port-Forwarding-
Map Attribute (refer to Section 3.1.4).
IP-Port-Int-Port TLV is embedded within embedded within IP-Port-Type
TLV (refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV5-Type | TLV5-Length | IP-Port-Int-Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8
TLV5-Type:
TBA6: The type field for IP-Port-Int-Port TLV.
TLV5-Length:
4 bytes. The Length field for IP-Port-Int-Port TLV.
IP-Port-Int-Port:
2 byte integer. The internal IP port number that is associated
with an IPv4 or IPv6 address.
3.2.5. IP-Port-Ext-Port TLV
This TLV (Figure 9) uses format defined in [RFC6929]. Its Value
field contains an external IP port number that is associated with an
external IPv4 address.
IP-Port-Ext-Port TLV is included as part of the IP-Port-Forwarding-
Map Attribute (refer to Section 3.1.4).
IP-Port-Ext-Port TLV is embedded within IP-Port-Type TLV (refer to
Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV6-Type | TLV6-Length | IP-Port-Ext-Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9
TLV6-Type:
TBA7: The type field for IP-Port-Ext-Port TLV.
TLV6-Length:
4 bytes. The Length field for IP-Port-Ext-Port TLV.
IP-Port-Ext-Port:
2 byte integer. The external IP port number that is associated
with an IPv4 address.
3.2.6. IP-Port-Alloc TLV
This TLV (Figure 10) uses format defined in [RFC6929]. Its Value
field contains a 2-byte integer called IP-Port-Alloc, which indicates
either the allocation or deallocation of a range of IP ports.
IP-Port-Alloc TLV is included as part of the IP-Port-Range Attribute
(refer to Section 3.1.3).
Note that IP-Port-Alloc TLV is embedded within IP-Port-Type TLV
(refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV7-Type | TLV7-Length | IP-Port-Alloc |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10
TLV7-Type:
TBA8: The type field for IP-Port-Alloc TLV.
TLV7-Length:
4. The Length field for IP-Port-Alloc TLV.
IP-Port-Alloc:
2-byte integer. This field indicates the allocation or
deallocation of a range of IP ports as follows:
0:
Allocation
1:
Deallocation
3.2.7. IP-Port-Range-Start TLV
This TLV (Figure 11) uses format defined in [RFC6929]. Its Value
field contains a 2-byte integer called IP-Port-Range-Start, which
indicates the smallest port number of a range of contiguous IP ports.
IP-Port-Range-Start TLV is included as part of the IP-Port-Range
Attribute (refer to Section 3.1.3).
Note that IP-Port-Range-Start TLV is embedded within IP-Port-Type TLV
(refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV8-Type | TLV8-Length | IP-Port-Range-Start |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11
TLV8-Type:
TBA9: The type field for IP-Port-Range-Start TLV.
TLV8-Length:
4. The Length field for IP-Port-Range-Start TLV.
IP-Port-Range-Start:
2-byte integer. This field contains the smallest port number of a
range of contiguous IP ports.
3.2.8. IP-Port-Range-End TLV
This TLV (Figure 12) uses format defined in [RFC6929]. Its Value
field contains a 2-byte integer called IP-Port-Range-End, which
indicates largest port number of a range of contiguous IP ports.
IP-Port-Range-End TLV is included as part of the IP-Port-Range
Attribute (refer to Section 3.1.3).
Note that IP-Port-Range-End TLV is embedded within IP-Port-Type TLV
(refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV9-Type | TLV9-Length | IP-Port-Range-End |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12
TLV9-Type:
TBA10: The type field for IP-Port-Range-End TLV.
TLV9-Length:
4. The Length field for IP-Port-Range-End TLV.
IP-Port-Range-End:
2-byte integer. This field contains the largest port number of a
range of contiguous IP ports.
3.2.9. IP-Port-Local-Id TLV
This TLV (Figure 13) uses format defined in [RFC6929]. Its Value
field contains an identifier with local significance.
In some CGN deployment scenarios as described such as L2NAT
[I-D.miles-behave-l2nat], DS-Extra-Lite [RFC6619] and Lightweight
4over6 [I-D.ietf-softwire-lw4over6], parameters at a customer premise
such as MAC address, interface ID, VLAN ID, PPP session ID, IPv6
prefix, VRF ID, etc., may also be required to pass to the RADIUS
server as part of the accounting record.
IP-Port-Local-Id TLV can be included as part of the IP-Port-Range
Attribute (refer to Section 3.1.3) and IP-Port-Forwarding-Map
Attribute (refer to Section 3.1.4).
Note that IP-Port-Local-Id TLV is embedded within IP-Port-Type TLV
(refer to Section 3.1.1) for detail.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV10-Type | TLV10-Length | IP-Port-Local-Id...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13
TLV10-Type:
TBA11: The type field for IP-Port-Local-Id TLV.
TLV10-Length:
Variable number of bytes. The Length field for IP-Port-Local-Id
TLV.
IP-Port-Local-Id:
This is a local session identifier at the customer premise, such
as MAC address, interface ID, VLAN ID, PPP sessions ID, VRF ID,
IPv6 address/prefix, etc. The length of this field is the value
contained in TLV7-Length field minus 2.
4. Applications, Use Cases and Examples 4. Applications, Use Cases and Examples
This section describes some applications and use cases to illustrate This section describes some applications and use cases to illustrate
the use of the attributes propsoed in this document. the use of the attributes proposed in this document.
4.1. Managing CGN Port Behavior using RADIUS 4.1. Managing CGN Port Behavior using RADIUS
In a broadband network, customer information is usually stored on a In a broadband network, customer information is usually stored on a
RADIUS server, and the BNG hosts the NAS. The communication between RADIUS server, and the BNG hosts the NAS. The communication between
the NAS and the RADIUS server is triggered by a subscriber when the the NAS and the RADIUS server is triggered by a subscriber when the
user signs in to the Internet service, where either PPP or DHCP/ user signs in to the Internet service, where either PPP or DHCP/
DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access- DHCPv6 is used. When a user signs in, the NAS sends a RADIUS Access-
Request message to the RADIUS server. The RADIUS server validates Request message to the RADIUS server. The RADIUS server validates
the request, and if the validation succeeds, it in turn sends back a the request, and if the validation succeeds, it in turn sends back a
skipping to change at page 13, line 34 skipping to change at page 22, line 43
Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single
IPv4 public address may be shared by hundreds or even thousands of IPv4 public address may be shared by hundreds or even thousands of
subscribers. As indicated in [RFC6269], it is therefore necessary to subscribers. As indicated in [RFC6269], it is therefore necessary to
impose limits on the total number of ports available to an individual impose limits on the total number of ports available to an individual
subscriber to ensure that the shared resource, i.e., the IPv4 address subscriber to ensure that the shared resource, i.e., the IPv4 address
remains available in some capacity to all the subscribers using it, remains available in some capacity to all the subscribers using it,
and port limiting is also documented in [RFC6888] as a requirement. and port limiting is also documented in [RFC6888] as a requirement.
The IP port limit imposed to a specific subscriber may be on the The IP port limit imposed to a specific subscriber may be on the
total number of TCP and UDP ports plus the number of ICMP total number of TCP and UDP ports plus the number of ICMP
identifiers, or with other granularities as defined in Section 3.2. identifiers, or with other granularities as defined in Section 3.1.2.
The per-subscriber based IP port limit is configured on a RADIUS The per-subscriber based IP port limit is configured on a RADIUS
server, along with other user information such as credentials. The server, along with other user information such as credentials. The
value of these IP port limit is based on service agreement and its value of these IP port limit is based on service agreement and its
specification is out of the scope of this document. specification is out of the scope of this document.
When a subscriber signs in to the Internet service successfully, the When a subscriber signs in to the Internet service successfully, the
IP port limit for the subscriber is passed to the BNG based NAS, IP port limit for the subscriber is passed to the BNG based NAS,
where CGN also locates, using a new RADIUS attribute called IP-Port- where CGN also locates, using a new RADIUS attribute called IP-Port-
Limit (defined in Section 3.2), along with other configuration Limit (defined in Section 3.1.2), along with other configuration
parameters. While some parameters are passed to the subscriber, the parameters. While some parameters are passed to the subscriber, the
IP port limit is recorded on the CGN device for imposing the usage of IP port limit is recorded on the CGN device for imposing the usage of
TCP/UDP ports and ICMP identifiers for that subscriber. TCP/UDP ports and ICMP identifiers for that subscriber.
Figure 1 illustrates how RADIUS protocol is used to configure the Figure 14 illustrates how RADIUS protocol is used to configure the
maximum number of TCP/UDP ports for a given subscriber on a NAT44 maximum number of TCP/UDP ports for a given subscriber on a NAT44
device. device.
User NAT44/NAS AAA User NAT44/NAS AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |-----Access-Request -------->| | |-----Access-Request -------->|
skipping to change at page 14, line 24 skipping to change at page 23, line 33
| | (IP-Port-Limit) | | | (IP-Port-Limit) |
| | (for TCP/UDP ports) | | | (for TCP/UDP ports) |
|<---Service Granted ------| | |<---Service Granted ------| |
| (other parameters) | | | (other parameters) | |
| | | | | |
| (NAT44 external port | | (NAT44 external port |
| allocation and | | allocation and |
| IPv4 address assignment) | | IPv4 address assignment) |
| | | | | |
Figure 1: RADIUS Message Flow for Configuring NAT44 Port Limit Figure 14: RADIUS Message Flow for Configuring NAT44 Port Limit
The IP port limit created on a CGN device for a specific user using The IP port limit created on a CGN device for a specific user using
RADIUS extension may be changed using RADIUS CoA message [RFC5176] RADIUS extension may be changed using RADIUS CoA message [RFC5176]
that carries the same RADIUS attribute. The CoA message may be sent that carries the same RADIUS attribute. The CoA message may be sent
from the RADIUS server directly to the NAS, which once accepts and from the RADIUS server directly to the NAS, which once accepts and
sends back a RADIUS CoA ACK message, the new IP port limit replaces sends back a RADIUS CoA ACK message, the new IP port limit replaces
the previous one. the previous one.
Figure 2 illustrates how RADIUS protocol is used to increase the TCP/ Figure 15 illustrates how RADIUS protocol is used to increase the
UDP port limit from 1024 to 2048 on a NAT44 device for a specific TCP/UDP port limit from 1024 to 2048 on a NAT44 device for a specific
user. user.
User NAT/NAS AAA User NAT/NAS AAA
| BNG Server | BNG Server
| | | | | |
| TCP/UDP Port Limit (1024) | | TCP/UDP Port Limit (1024) |
| | | | | |
| |<---------CoA Request----------| | |<---------CoA Request----------|
| | (IP-Port-Limit) | | | (IP-Port-Limit) |
| | (for TCP/UDP ports) | | | (for TCP/UDP ports) |
| | | | | |
| TCP/UDP Port Limit (2048) | | TCP/UDP Port Limit (2048) |
| | | | | |
| |---------CoA Response--------->| | |---------CoA Response--------->|
| | | | | |
Figure 2: RADIUS Message Flow for changing a user's NAT44 port limit Figure 15: RADIUS Message Flow for changing a user's NAT44 port limit
4.1.2. Report IP Port Allocation/De-allocation 4.1.2. Report IP Port Allocation/De-allocation
Upon obtaining the IP port limit for a subscriber, the CGN device Upon obtaining the IP port limit for a subscriber, the CGN device
needs to allocate a TCP/UDP port or an ICMP identifiers for the needs to allocate a TCP/UDP port or an ICMP identifiers for the
subscriber when receiving a new IP flow sent from that subscriber. subscriber when receiving a new IP flow sent from that subscriber.
As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP
identifiers once at a time for a specific user, instead of one port/ identifiers once at a time for a specific user, instead of one port/
identifier at a time, and within each port bulk, the ports/ identifier at a time, and within each port bulk, the ports/
identifiers may be randomly distributed or in consecutive fashion. identifiers may be randomly distributed or in consecutive fashion.
When a CGN device allocates bulk of TCP/UDP ports and ICMP When a CGN device allocates bulk of TCP/UDP ports and ICMP
identifiers, the information can be easily conveyed to the RADIUS identifiers, the information can be easily conveyed to the RADIUS
server by a new RADIUS attribute called the IP-Port-Range (defined in server by a new RADIUS attribute called the IP-Port-Range (defined in
Section 3.3). The CGN device may allocate one or more TCP/UDP port Section 3.1.3). The CGN device may allocate one or more TCP/UDP port
ranges or ICMP identifier ranges, or generally called IP port ranges, ranges or ICMP identifier ranges, or generally called IP port ranges,
where each range contains a set of numbers representing TCP/UDP ports where each range contains a set of numbers representing TCP/UDP ports
or ICMP identifiers, and the total number of ports/identifiers must or ICMP identifiers, and the total number of ports/identifiers must
be less or equal to the associated IP port limit imposed for that be less or equal to the associated IP port limit imposed for that
subscriber. A CGN device may choose to allocate a small port range, subscriber. A CGN device may choose to allocate a small port range,
and allocate more at a later time as needed; such practice is good and allocate more at a later time as needed; such practice is good
because its randomization in nature. because its randomization in nature.
At the same time, the CGN device also needs to decide the shared IPv4 At the same time, the CGN device also needs to decide the shared IPv4
address for that subscriber. The shared IPv4 address and the pre- address for that subscriber. The shared IPv4 address and the pre-
skipping to change at page 15, line 43 skipping to change at page 25, line 11
pre-allocated IP port range for that subscriber to replace the pre-allocated IP port range for that subscriber to replace the
original source TCP/UDP port or ICMP identifier, along with the original source TCP/UDP port or ICMP identifier, along with the
replacement of the source IP address by the shared IPv4 address. replacement of the source IP address by the shared IPv4 address.
A CGN device may decide to "free" a previously assigned set of TCP/ A CGN device may decide to "free" a previously assigned set of TCP/
UDP ports or ICMP identifiers that have been allocated for a specific UDP ports or ICMP identifiers that have been allocated for a specific
subscriber but not currently in use, and with that, the CGN device subscriber but not currently in use, and with that, the CGN device
must send the information of the de-allocated IP port range along must send the information of the de-allocated IP port range along
with the shared IPv4 address to the RADIUS server. with the shared IPv4 address to the RADIUS server.
Figure 3 illustrates how RADIUS protocol is used to report a set of Figure 16 illustrates how RADIUS protocol is used to report a set of
ports allocated and de-allocated, respectively, by a NAT44 device for ports allocated and de-allocated, respectively, by a NAT44 device for
a specific user to the RADIUS server. a specific user to the RADIUS server.
Host NAT44/NAS AAA Host NAT44/NAS AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |-----Access-Request -------->| | |-----Access-Request -------->|
skipping to change at page 16, line 35 skipping to change at page 25, line 45
... ... ... ... ... ...
| | | | | |
| (NAT44 decides to de-allocate | | (NAT44 decides to de-allocate |
| a TCP/UDP port range for the user) | | a TCP/UDP port range for the user) |
| | | | | |
| |-----Accounting-Request----->| | |-----Accounting-Request----->|
| | (IP-Port-Range | | | (IP-Port-Range |
| | for de-allocation) | | | for de-allocation) |
| | | | | |
Figure 3: RADIUS Message Flow for reporting NAT44 allocation/de- Figure 16: RADIUS Message Flow for reporting NAT44 allocation/de-
allocation of a port set allocation of a port set
4.1.3. Configure Forwarding Port Mapping 4.1.3. Configure Forwarding Port Mapping
In most scenarios, the port mapping on a NAT device is dynamically In most scenarios, the port mapping on a NAT device is dynamically
created when the IP packets of an IP connection initiated by a user created when the IP packets of an IP connection initiated by a user
arrives. For some applications, the port mapping needs to be pre- arrives. For some applications, the port mapping needs to be pre-
defined allowing IP packets of applications from outside a CGN device defined allowing IP packets of applications from outside a CGN device
to pass through and "port forwarded" to the correct user located to pass through and "port forwarded" to the correct user located
behind the CGN device. behind the CGN device.
skipping to change at page 17, line 12 skipping to change at page 26, line 22
creating or deleting a mapping along with a rich set of features on a creating or deleting a mapping along with a rich set of features on a
CGN device in dynamic fashion. In some deployment, all users need is CGN device in dynamic fashion. In some deployment, all users need is
a few, typically just one pre-configured port mapping for a few, typically just one pre-configured port mapping for
applications such as web cam at home, and the lifetime of such a port applications such as web cam at home, and the lifetime of such a port
mapping remains valid throughout the duration of the customer's mapping remains valid throughout the duration of the customer's
Internet service connection time. In such an environment, it is Internet service connection time. In such an environment, it is
possible to statically configure a port mapping on the RADIUS server possible to statically configure a port mapping on the RADIUS server
for a user and let the RADIUS protocol to propagate the information for a user and let the RADIUS protocol to propagate the information
to the associated CGN device. to the associated CGN device.
Figure 4 illustrates how RADIUS protocol is used to configure a Figure 17 illustrates how RADIUS protocol is used to configure a
forwarding port mapping on a NAT44 device by using RADIUS protocol. forwarding port mapping on a NAT44 device by using RADIUS protocol.
Host NAT/NAS AAA Host NAT/NAS AAA
| BNG Server | BNG Server
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |---------Access-Request------->| | |---------Access-Request------->|
| | | | | |
| |<--------Access-Accept---------| | |<--------Access-Accept---------|
skipping to change at page 17, line 37 skipping to change at page 26, line 47
| (Create a port mapping | | (Create a port mapping |
| for the user, and | | for the user, and |
| associate it with the | | associate it with the |
| internal IP address | | internal IP address |
| and external IP address) | | and external IP address) |
| | | | | |
| | | | | |
| |------Accounting-Request------>| | |------Accounting-Request------>|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
Figure 4: RADIUS Message Flow for configuring a forwarding port Figure 17: RADIUS Message Flow for configuring a forwarding port
mapping mapping
A port forwarding mapping that is created on a CGN device using A port forwarding mapping that is created on a CGN device using
RADIUS extension as described above may also be changed using RADIUS RADIUS extension as described above may also be changed using RADIUS
CoA message [RFC5176] that carries the same RADIUS associate. The CoA message [RFC5176] that carries the same RADIUS associate. The
CoA message may be sent from the RADIUS server directly to the NAS, CoA message may be sent from the RADIUS server directly to the NAS,
which once accepts and sends back a RADIUS CoA ACK message, the new which once accepts and sends back a RADIUS CoA ACK message, the new
port forwarding mapping then replaces the previous one. port forwarding mapping then replaces the previous one.
Figure 5 illustrates how RADIUS protocol is used to change an Figure 18 illustrates how RADIUS protocol is used to change an
existing port mapping from (a:X) to (a:Y), where "a" is an internal existing port mapping from (a:X) to (a:Y), where "a" is an internal
port, and "X" and "Y" are external ports, respectively, for a port, and "X" and "Y" are external ports, respectively, for a
specific user with a specific IP address specific user with a specific IP address
Host NAT/NAS AAA Host NAT/NAS AAA
| BNG Server | BNG Server
| | | | | |
| Internal IP Address | | Internal IP Address |
| Port Map (a:X) | | Port Map (a:X) |
| | | | | |
| |<---------CoA Request----------| | |<---------CoA Request----------|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
| | | | | |
| Internal IP Address | | Internal IP Address |
skipping to change at page 18, line 19 skipping to change at page 27, line 29
| | | | | |
| |<---------CoA Request----------| | |<---------CoA Request----------|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
| | | | | |
| Internal IP Address | | Internal IP Address |
| Port Map (a:Y) | | Port Map (a:Y) |
| | | | | |
| |---------CoA Response--------->| | |---------CoA Response--------->|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
Figure 5: RADIUS Message Flow for changing a user's forwarding port Figure 18: RADIUS Message Flow for changing a user's forwarding port
mapping mapping
4.1.4. An Example 4.1.4. An Example
An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the
subscriber Joe. This number is the limit that can be used for TCP/UDP subscriber Joe. This number is the limit that can be used for TCP/UDP
ports on a NAT44 device for Joe, and is configured on a RADIUS ports on a NAT44 device for Joe, and is configured on a RADIUS
server. Also, Joe asks for a pre-defined port forwarding mapping on server. Also, Joe asks for a pre-defined port forwarding mapping on
the NAT44 device for his web cam applications (external port 5000 the NAT44 device for his web cam applications (external port 5000
maps to internal port 80). maps to internal port 80).
skipping to change at page 19, line 34 skipping to change at page 28, line 44
applications can communicate with his web cam at home from external applications can communicate with his web cam at home from external
realm directly traversing the pre-configured mapping on the CGN realm directly traversing the pre-configured mapping on the CGN
device. device.
When Joe disconnects from his Internet service, the CGN device will When Joe disconnects from his Internet service, the CGN device will
de-allocate all TCP/UDP ports as well as the port-forwarding mapping, de-allocate all TCP/UDP ports as well as the port-forwarding mapping,
and send the relevant information to the RADIUS server. and send the relevant information to the RADIUS server.
4.2. Report Assigned Port Set for a Visiting UE 4.2. Report Assigned Port Set for a Visiting UE
Figure 6 illustrates an example of the flow exchange which occurs Figure 19 illustrates an example of the flow exchange which occurs
when a visiting UE connects to a CPE offering Wi-Fi service. when a visiting UE connects to a CPE offering WLAN service.
For identification purposes (see [RFC6967]), once the CPE assigns a For identification purposes (see [RFC6967]), once the CPE assigns a
port set, it issues a RADIUS message to report the assigned port set. port set, it issues a RADIUS message to report the assigned port set.
UE CPE NAS AAA UE CPE NAS AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
skipping to change at page 20, line 36 skipping to change at page 29, line 36
| | | | | | | |
| | | | | | | |
| (CPE withdraws a TCP/UDP port | | (CPE withdraws a TCP/UDP port |
| range for a visiting UE) | | range for a visiting UE) |
| | | | | |
| |--Accounting-Request-...------------------->| | |--Accounting-Request-...------------------->|
| | (IP-Port-Range | | | (IP-Port-Range |
| | for de-allocation) | | | for de-allocation) |
| | | | | |
Figure 6: RADIUS Message Flow for reporting CPE allocation/de- Figure 19: RADIUS Message Flow for reporting CPE allocation/de-
allocation of a port set to a visiting UE allocation of a port set to a visiting UE
5. Table of Attributes 5. Table of Attributes
This document proposes three new RADIUS attributes and their formats This document proposes three new RADIUS attributes and their formats
are as follows: are as follows:
o IP-Port-Limit: TBA1.{TBA1-1 .. TBA1-5}.TBA2 o IP-Port-Limit: TBA1.TBA2.{TBA2-1..TBA2-5}.[TBA3, {TBA4}]
o IP-Port-Range: TBA1.{TBA1-1 .. TBA1-5}.{TBA3 .. TBA4} o IP-Port-Range: TBA1.TBA2.{TBA2-1..TBA2-5}.[TBA8, TBA9, TBA10,
{TBA4}, {TBA11}].
o IP-Port-Forwarding-Map: TBA.1{TBA1-1 .. TBA1-5}.TBA5 o IP-Port-Forwarding-Map: TBA1.TBA2.{TBA2-1 .. TBA2-5}.[TBA6, TBA7,
TBA5, {TBA4}]
The following table provides a guide as what type of RADIUS packets The following table provides a guide as what type of RADIUS packets
that may contain these attributes, and in what quantity. that may contain these attributes, and in what quantity.
Request Accept Reject Challenge Acct. # Attribute Request Accept Reject Challenge Acct. # Attribute
Request Request
0-1 0-1 0 0 0-1 TBA IP-Port-Limit 0+ 0+ 0 0 0+ TBA IP-Port-Limit
0 0 0 0 0-1 TBA IP-Port-Range 0 0 0 0 0+ TBA IP-Port-Range
0-1 0-1 0 0 0-1 TBA IP-Port-Forwarding-Map 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet. 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in packet.
packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
6. Security Considerations 6. Security Considerations
This document does not introduce any security issue than what has This document does not introduce any security issue than what has
been identified in [RFC2865]. been identified in [RFC2865].
7. IANA Considerations 7. IANA Considerations
This document requires new code point assignment for the new RADIUS This document requires new code point assignments for the new RADIUS
attributes as follows: attributes as follows:
o TBA1 (refer to Section 3.1): This value is for the Radius Type o TBA1 (refer to Section 3.1.1): This value is for the Radius Type
field and should be allocated from the number space of Extended- field and should be allocated from the number space of Extended-
Type-1 (241), Extended-Type-2 (242), Extended-Type-3 (243), or Type-1 (241), Extended-Type-2 (242), Extended-Type-3 (243), or
Extended-Type-4 (244) per [RFC6929]. Extended-Type-4 (244) per [RFC6929].
o TBA1-1, TBA1-2, TBA1-3, TBA1-4, and TBA1-5 (refer to Section 3.1): o TBA2 (refer to Section 3.1.1): This value is for the Extended-Type
These values are for the Radius Extended Type field that are field and should be allocated from the Short Extended Space per
associated with TBA1. [RFC6929].
o TBA2 (refer to Section 3.2): This value is for the TLV field and o TBA2-1, TBA2-2, TBA2-3, TBA2-4, and TBA2-5 (refer to
specifies the limit of the IP port imposed to a user. Section 3.1.1): These values are for the Type field of IP-Port-
Type TLV that is within the TBA2 container, and they should be
allocated as TLV data type and effectively extend the attribute
tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3, TBA2-4, TBA2-5}.
o TBA3 (refer to Section 3.3): This value is for the TLV field and o TBA3 (refer to Section 3.1.2): This value is for the type field of
specifies the allocation action of IP ports by a port device IP-Port-Limit TLV. It should be allocated as TLV data type and it
(e.g., a CGN) for a user. extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3,
TBA2-4, TBA2-5}.TBA3.
o TBA4 (refer to Section 3.3): This value is for the TLV field and o TBA4 (refer to Section 3.2.2): This value is for the Type field of
specifies the de-allocation action of IP ports by a port device IP-Port-Ext-IPv4-Addr TLV. It should be allocated as TLV data
(e.g., a CGN) for a user. type and it extends the attribute tree as TBA1.TBA2.{TBA2-1,
TBA2-2, TBA2-3, TBA2-4, TBA2-5}.[TBA4...].
o TBA5(refer to Section 3.4): This value is for the TLV field and o TBA5 (refer to Section 3.2.3): This value is for the Type field of
specifies the mapping action on IP port by a port device (e.g., a IP-Port-Int-IP-Addr TLV. It should be allocated as TLV data type
CGN) for a user. and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2,
TBA2-3, TBA2-4, TBA2-5}.[TBA5...].
o TBA6 (refer to Section 3.2.4): This value is for the Type field of
IP-Port-Int-Port TLV. It should be allocated as TLV data type and
it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2,
TBA2-3, TBA2-4, TBA2-5}.[TBA6...].
o TBA7 (refer to Section 3.2.5): This value is for the Type field of
IP-Port-Ext-port TLV. It should be allocated as TLV data type and
it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2,
TBA2-3, TBA2-4, TBA2-5}.[TBA7...].
o TBA8 (refer to Section 3.2.6): This value is for the Type field of
IP-Port-Alloc TLV. It should be allocated as TLV data type and it
extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2, TBA2-3,
TBA2-4, TBA2-5}.[TBA8...].
o TBA9 (refer to Section 3.2.7): This value is for the Type field of
IP-Port-Range-Start TLV. It should be allocated as TLV data type
and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2,
TBA2-3, TBA2-4, TBA2-5}.[TBA9..].
o TBA10 (refer to Section 3.2.8): This value is for the Type field
of IP-Port-Range-End TLV. It should be allocated as TLV data type
and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2,
TBA2-3, TBA2-4, TBA2-5}.[TBA10..].
o TBA11 (refer to Section 3.2.9): This value is for the Type field
of IP-Port-Local-Id TLV. It should be allocated as TLV data type
and it extends the attribute tree as TBA1.TBA2.{TBA2-1, TBA2-2,
TBA2-3, TBA2-4, TBA2-5}.[TBA11..].
8. Acknowledgements 8. Acknowledgements
Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David
Thaler, Alan Dekok, and Lionel Morand for their useful comments and Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful
suggestions. comments and suggestions.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", BCP E. Lear, "Address Allocation for Private Internets", BCP
5, RFC 1918, February 1996. 5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 22, line 49 skipping to change at page 32, line 35
[I-D.gundavelli-v6ops-community-wifi-svcs] [I-D.gundavelli-v6ops-community-wifi-svcs]
Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, Gundavelli, S., Grayson, M., Seite, P., and Y. Lee,
"Service Provider Wi-Fi Services Over Residential "Service Provider Wi-Fi Services Over Residential
Architectures", draft-gundavelli-v6ops-community-wifi- Architectures", draft-gundavelli-v6ops-community-wifi-
svcs-06 (work in progress), April 2013. svcs-06 (work in progress), April 2013.
[I-D.ietf-softwire-lw4over6] [I-D.ietf-softwire-lw4over6]
Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and Cui, Y., Qiong, Q., Boucadair, M., Tsou, T., Lee, Y., and
I. Farrer, "Lightweight 4over6: An Extension to the DS- I. Farrer, "Lightweight 4over6: An Extension to the DS-
Lite Architecture", draft-ietf-softwire-lw4over6-08 (work Lite Architecture", draft-ietf-softwire-lw4over6-10 (work
in progress), March 2014. in progress), June 2014.
[I-D.miles-behave-l2nat] [I-D.miles-behave-l2nat]
Miles, D. and M. Townsley, "Layer2-Aware NAT", draft- Miles, D. and M. Townsley, "Layer2-Aware NAT", draft-
miles-behave-l2nat-00 (work in progress), March 2009. miles-behave-l2nat-00 (work in progress), March 2009.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, January Address Translator (Traditional NAT)", RFC 3022, January
2001. 2001.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
 End of changes. 151 change blocks. 
321 lines changed or deleted 781 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/