draft-ietf-radext-ip-port-radius-ext-12.txt   draft-ietf-radext-ip-port-radius-ext-13.txt 
Network Working Group D. Cheng Network Working Group D. Cheng
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Korhonen Intended status: Standards Track J. Korhonen
Expires: April 1, 2017 Broadcom Corporation Expires: April 8, 2017 Broadcom Corporation
M. Boucadair M. Boucadair
Orange Orange
S. Sivakumar S. Sivakumar
Cisco Systems Cisco Systems
September 28, 2016 October 5, 2016
RADIUS Extensions for IP Port Configuration and Reporting RADIUS Extensions for IP Port Configuration and Reporting
draft-ietf-radext-ip-port-radius-ext-12 draft-ietf-radext-ip-port-radius-ext-13
Abstract Abstract
This document defines three new RADIUS attributes. For devices that This document defines three new RADIUS attributes. For devices that
implement IP port ranges, these attributes are used to communicate implement IP port ranges, these attributes are used to communicate
with a RADIUS server in order to configure and report IP transport with a RADIUS server in order to configure and report IP transport
ports, as well as mapping behavior for specific hosts. This ports, as well as mapping behavior for specific hosts. This
mechanism can be used in various deployment scenarios such as mechanism can be used in various deployment scenarios such as
Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc.
This document defines a mapping between some RADIUS attributes and
IPFIX Information Element Identifiers.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 46 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 1, 2017. This Internet-Draft will expire on April 8, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5
3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6
3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6
3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8
3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 10 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11
3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13
3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 13 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14
3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 14 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15
3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15
3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16
3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17
3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18
3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 18 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19
3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 19 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20
3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 20 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21
3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 21 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22
3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 23
4. Applications, Use Cases and Examples . . . . . . . . . . . . 23 4. Applications, Use Cases and Examples . . . . . . . . . . . . 24
4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 23 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24
4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 25
4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 27
4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 27 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28
4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 29 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30
4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 30 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 31 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32
6. Security Considerations . . . . . . . . . . . . . . . . . . . 32 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
7.1. IANA Considerations on New IPFIX Information 7.1. IANA Considerations on New IPFIX Information
Elements . . . . . . . . . . . . . . . . . . . . . . . . 33 Elements . . . . . . . . . . . . . . . . . . . . . . . . 34
7.2. IANA Considerations on New RADIUS Attributes . . . . . . 33 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34
7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 34 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
9.1. Normative References . . . . . . . . . . . . . . . . . . 34 9.1. Normative References . . . . . . . . . . . . . . . . . . 35
9.2. Informative References . . . . . . . . . . . . . . . . . 35 9.2. Informative References . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38
1. Introduction 1. Introduction
In a broadband network, customer information is usually stored on a In a broadband network, customer information is usually stored on a
RADIUS server [RFC2865]. At the time when a user initiates an IP RADIUS server [RFC2865]. At the time when a user initiates an IP
connection request, if this request is authorized, the RADIUS server connection request, if this request is authorized, the RADIUS server
will populate the user's configuration information to the Network will populate the user's configuration information to the Network
Access Server (NAS), which is often referred to as a Broadband Access Server (NAS), which is often referred to as a Broadband
Network Gateway (BNG) in broadband access networks. The Carrier- Network Gateway (BNG) in broadband access networks. The Carrier-
Grade NAT (CGN) function may also be implemented on the BNG. Within Grade NAT (CGN) function may also be implemented on the BNG. Within
skipping to change at page 3, line 35 skipping to change at page 3, line 35
part of the configuration information sent from the RADIUS server to part of the configuration information sent from the RADIUS server to
the NAS/BNG. The NAS/BNG may also report to the RADIUS Server the the NAS/BNG. The NAS/BNG may also report to the RADIUS Server the
port/identifier mapping behavior applied by the CGN to a user session port/identifier mapping behavior applied by the CGN to a user session
to the RADIUS server, as part of the accounting information sent from to the RADIUS server, as part of the accounting information sent from
the NAS/BNG to a RADIUS server. the NAS/BNG to a RADIUS server.
When IP packets traverse the CGN, it performs mapping on the IP When IP packets traverse the CGN, it performs mapping on the IP
transport (e.g., TCP/UDP) source port as required. An IP transport transport (e.g., TCP/UDP) source port as required. An IP transport
source port, along with source IP address, destination IP address, source port, along with source IP address, destination IP address,
destination port and protocol identifier if applicable, uniquely destination port and protocol identifier if applicable, uniquely
identify a session. Since the number space of IP transport ports in identify a mapping. Since the number space of IP transport ports in
CGN's external realm is shared among multiple users assigned with the CGN's external realm is shared among multiple users assigned with the
same IPv4 address, the total number of a user's simultaneous IP same IPv4 address, the total number of a user's simultaneous IP
sessions is likely to be subject to port quota (see Section 5 of mappings is likely to be subject to port quota (see Section 5 of
[RFC6269]). [RFC6269]).
The attributes defined in this document may also be used to report The attributes defined in this document may also be used to report
the assigned port range in some deployments such as Provider WLAN the assigned port range in some deployments such as Provider WLAN
[I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting
host can be managed by a CPE (Customer Premises Equipment ) which host can be managed by a CPE (Customer Premises Equipment ) which
will need to report the assigned port range to the service platform. will need to report the assigned port range to the service platform.
This is required for identification purposes (see TR-146 [TR-146] for This is required for identification purposes (see TR-146 [TR-146] for
more details). more details).
This document proposes three new attributes as RADIUS protocol's This document proposes three new attributes as RADIUS protocol's
extensions, and they are used for separate purposes as follows: extensions, and they are used for separate purposes as follows:
1. IP-Port-Limit-Info: This attribute may be carried in RADIUS 1. IP-Port-Limit-Info: This attribute may be carried in a RADIUS
Access-Accept, Access-Request, Accounting-Request or CoA-Request Access-Accept, Access-Request, Accounting-Request or CoA-Request
packet. The purpose of this attribute is to limit the total packet. The purpose of this attribute is to limit the total
number of IP source transport ports allocated to a user, number of IP source transport ports allocated to a user,
associated with one or more IPv4 or IPv6 addresses. associated with one or more IPv4 or IPv6 addresses.
2. IP-Port-Range: This attribute may be carried in RADIUS 2. IP-Port-Range: This attribute may be carried in a RADIUS
Accounting-Request packet. The purpose of this attribute is to Accounting-Request packet. The purpose of this attribute is for
report by an address sharing device (e.g., a CGN) to the RADIUS an address sharing device (e.g., a CGN) to report to the RADIUS
server the range of IP source transport ports that have been server the range of IP source transport ports that have been
allocated or deallocated associated with a given IPv4/IPv6 allocated or deallocated for a user. The port range is bound to
address for a user. an external IPv4 address.
3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS
Access-Accept, Access-Request, Accounting-Request or CoA-Request Access-Accept, Access-Request, Accounting-Request or CoA-Request
packet. The purpose of this attribute is to specify how an IP packet. The purpose of this attribute is to specify how an IP
internal source transport port together with its internal IPv4 or internal source transport port together with its internal IPv4 or
IPv6 address are mapped to an external source transport port IPv6 address are mapped to an external source transport port
along with the external IPv4 address. along with the external IPv4 address.
IPFIX Information Elements [RFC7012] can be used for IP flow IPFIX Information Elements [RFC7012] can be used for IP flow
identification and representation over RADIUS. This document identification and representation over RADIUS. This document
provides a mapping between some RADIUS TLV and IPFIX Information provides a mapping between some RADIUS TLVs and IPFIX Information
Element Identifiers. A new IPFIX Information Element is defined by Element Identifiers. A new IPFIX Information Element is defined by
this document (see Section 3.2.2). this document (see Section 3.2.2).
IP protocol numbers (refer to [ProtocolNumbers]) can be used for IP protocol numbers (refer to [ProtocolNumbers]) can be used for
identification of IP transport protocols (e.g., TCP/UDP, DCCP and identification of IP transport protocols (e.g., TCP, UDP, DCCP, and
SCTP) that are associated with some RADIUS attributes. SCTP) that are associated with some RADIUS attributes.
This document focuses on IPv4 address sharing. IPv6 prefix sharing
mechanisms (e.g., NPTv6) are out of scope.
2. Terminology 2. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o IP Port: refers to IP transport port. o IP Port: refers to IP transport port (e.g., TCP port number, UDP
port number).
o IP Port Type: refers to the IP transport protocol as indicated by o IP Port Type: refers to the IP transport protocol as indicated by
the IP transport protocol number, refer to (refer to the IP transport protocol number, refer to (refer to
[ProtocolNumbers]) [ProtocolNumbers])
o IP Port Limit: denotes the maximum number of IP ports for a o IP Port Limit: denotes the maximum number of IP ports for a
specific IP port type, that a device supporting port ranges can specific IP port type, that a device supporting port ranges can
use when performing port number mapping for a specific user. use when performing port number mappings for a specific user/host.
Note, this limit is usually associated with one or more IPv4/IPv6 Note, this limit is usually associated with one or more IPv4/IPv6
addresses. addresses.
o IP Port Range: specifies a set of contiguous IP ports, indicated o IP Port Range: specifies a set of contiguous IP ports, indicated
by the lowest numerical number and the highest numerical number, by the lowest numerical number and the highest numerical number,
inclusively. inclusively.
o Internal IP Address: refers to the IP address that is used as a o Internal IP Address: refers to the IP address that is used by a
source IP address in an outbound IP packet sent towards a device host as a source IP address in an outbound IP packet sent towards
supporting port ranges in the internal realm. a device supporting port ranges in the internal realm. The
internal IP address may be IPv4 or IPv6.
o External IP Address: refers to the IP address that is used as a o External IP Address: refers to the IP address that is used as a
source IP address in an outbound IP packet after traversing a source IP address in an outbound IP packet after traversing a
device supporting port ranges in the external realm. device supporting port ranges in the external realm. This
document assumes that the external IP address is an IPv4 address.
o Internal Port: is an IP transport port, which is allocated by a o Internal Port: is an IP transport port, which is allocated by a
host or application behind a device supporting port ranges for an host or application behind an address sharing device for an
outbound IP packet in the internal realm. outbound IP packet in the internal realm.
o External Port: is an IP transport port, which is allocated by a o External Port: is an IP transport port, which is allocated by an
device supporting port ranges upon receiving an outbound IP packet address sharing device upon receiving an outbound IP packet in the
in the internal realm, and is used to replace the internal port internal realm, and is used to replace the internal port that is
that is allocated by a user or application. allocated by a user or application.
o External realm: refers to the networking segment where external IP o External realm: refers to the networking segment where external IP
addresses are used as source addresses of outbound packets addresses are used as source addresses of outbound packets
forwarded by a device supporting port ranges. forwarded by an address sharing device.
o Internal realm: refers to the networking segment that is behind a o Internal realm: refers to the networking segment that is behind an
device supporting port ranges and where internal IP addresses are address sharing device and where internal IP addresses are used.
used.
o Mapping: associates with a device supporting port ranges for a o Mapping: denotes a relationship between an internal IP address,
relationship between an internal IP address, internal port and the internal port and the protocol, and an external IP address,
protocol, and an external IP address, external port, and the external port, and the protocol.
protocol.
o Port-based device: a device that is capable of providing IP o Address sharing device: a device that is capable of sharing an
address and IP transport port mapping services and in particular, IPv4 address among multiple users. A typical example of this
with the granularity of one or more subsets within the 16-bit IP device is a CGN, CPE, Provider WLAN Gateway, etc.
transport port number range. A typical example of this device is
a CGN, CPE, Provider WLAN Gateway, etc.
3. Extensions of RADIUS Attributes and TLVs 3. Extensions of RADIUS Attributes and TLVs
These three new attributes are defined in the following sub-sections: These three new attributes are defined in the following sub-sections:
1. IP-Port-Limit-Info Attribute 1. IP-Port-Limit-Info Attribute
2. IP-Port-Range Attribute 2. IP-Port-Range Attribute
3. IP-Port-Forwarding-Map Attribute 3. IP-Port-Forwarding-Map Attribute
skipping to change at page 6, line 46 skipping to change at page 6, line 46
protocol as indicated in IP-Port-Type TLV, and associated with a protocol as indicated in IP-Port-Type TLV, and associated with a
given IPv4 address as indicated in IP-Port-Ext-IPv4-Addr TLV for an given IPv4 address as indicated in IP-Port-Ext-IPv4-Addr TLV for an
end user. end user.
Note that when IP-Port-Type TLV is not included as part of the IP- Note that when IP-Port-Type TLV is not included as part of the IP-
Port-Limit-Info Attribute, the port limit applies to all IP transport Port-Limit-Info Attribute, the port limit applies to all IP transport
protocols. protocols.
Note also that when IP-Port-Ext-IPv4-Addr TLV is not included as part Note also that when IP-Port-Ext-IPv4-Addr TLV is not included as part
of the IP-Port-Limit-Info Attribute, the port limit applies to all of the IP-Port-Limit-Info Attribute, the port limit applies to all
the IPv4 addresses managed by the port device, e.g., a CGN or NAT64 the IPv4 addresses managed by the address sharing device, e.g., a CGN
device. or NAT64 device.
The IP-Port-Limit-Info Attribute MAY appear in an Access-Accept The IP-Port-Limit-Info Attribute MAY appear in an Access-Accept
packet. It MAY also appear in an Access-Request packet as a packet. It MAY also appear in an Access-Request packet as a
preferred maximum number of IP ports indicated by the device preferred maximum number of IP ports indicated by the device
supporting port ranges co-located with the NAS, e.g., a CGN or NAT64. supporting port ranges co-located with the NAS, e.g., a CGN or NAT64.
However, the RADIUS server is not required to honor such a
preference.
The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet. The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet.
The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request
packet. packet.
The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS
packet. packet.
The format of the IP-Port-Limit-Info Attribute is shown in Figure 1. The format of the IP-Port-Limit-Info Attribute is shown in Figure 1.
skipping to change at page 8, line 4 skipping to change at page 7, line 49
Value Value
This field contains a set of TLVs as follows: This field contains a set of TLVs as follows:
IP-Port-Type TLV IP-Port-Type TLV
This TLV contains a value that indicates the IP port type. This TLV contains a value that indicates the IP port type.
Refer to Section 3.2.1. Refer to Section 3.2.1.
IP-Port-Limit TLV IP-Port-Limit TLV
This TLV contains the maximum number of IP ports of a specific This TLV contains the maximum number of IP ports of a specific
IP port type and associated with a given IPv4 address for an IP port type and associated with a given IPv4 address for an
end user. This TLV MUST be included in the IP-Port-Limit-Info end user. This TLV MUST be included in the IP-Port-Limit-Info
Attribute. Refer to Section 3.2.2. Attribute. Refer to Section 3.2.2. This limit applies to all
mappings that can be instantiated by an underlying address
sharing device without soliciting any external entity. In
particular, this limit does not include the ports that are
instructed by an AAA server.
IP-Port-Ext-IPv4-Addr TLV IP-Port-Ext-IPv4-Addr TLV
This TLV contains the IPv4 address that is associated with the This TLV contains the IPv4 address that is associated with the
IP port limit contained in the IP-Port-Limit TLV. This TLV is IP port limit contained in the IP-Port-Limit TLV. This TLV is
optionally included as part of the IP-Port-Limit-Info optionally included as part of the IP-Port-Limit-Info
Attribute. Refer to Section 3.2.3. Attribute. Refer to Section 3.2.3.
IP-Port-Limit-Info Attribute is associated with the following IP-Port-Limit-Info Attribute is associated with the following
identifier: 241.Extended-Type(TBD1). identifier: 241.Extended-Type(TBD1).
skipping to change at page 8, line 35 skipping to change at page 8, line 37
o The IP-Port-Range Attribute MAY contain the IP-Port-Type TLV (see o The IP-Port-Range Attribute MAY contain the IP-Port-Type TLV (see
Section 3.2.1). Section 3.2.1).
o The IP-Port-Range Attribute MUST contain the IP-Port-Alloc TLV o The IP-Port-Range Attribute MUST contain the IP-Port-Alloc TLV
(see Section 3.2.8). (see Section 3.2.8).
o For port allocation, the IP-Port-Range Attribute MUST contain both o For port allocation, the IP-Port-Range Attribute MUST contain both
the IP-Port-Range-Start TLV (see Section 3.2.9) and the IP-Port- the IP-Port-Range-Start TLV (see Section 3.2.9) and the IP-Port-
Range-END TLV (see Section 3.2.10). For port deallocation, the Range-END TLV (see Section 3.2.10). For port deallocation, the
IP-Port-Range Attribute MAY contain both of these two TLVs; if the IP-Port-Range Attribute MAY contain both of these two TLVs; if the
two TLVs are not included, it implies that all ports that are two TLVs are not included, it implies that all ports that were
previously allocated are now all deallocated. previously allocated are now all deallocated.
o The IP-Port-Range Attribute MAY contain the IP-Port-Ext-IPv4-Addr o The IP-Port-Range Attribute MAY contain the IP-Port-Ext-IPv4-Addr
TLV (see Section 3.2.3). TLV (see Section 3.2.3).
o The IP-Port-Range Attribute MAY contain the IP-Port-Local-Id TLV o The IP-Port-Range Attribute MAY contain the IP-Port-Local-Id TLV
(see Section 3.2.11). (see Section 3.2.11).
The IP-Port-Range Attribute contains a range of contiguous IP ports. The IP-Port-Range Attribute contains a range of contiguous IP ports.
These ports are either to be allocated or deallocated depending on These ports are either to be allocated or deallocated depending on
the Value carried by the IP-Port-Alloc TLV. the Value carried by the IP-Port-Alloc TLV.
If the IP-Port-Type TLV is included as part of the IP-Port-Range If the IP-Port-Type TLV is included as part of the IP-Port-Range
Attribute, the port range is associated with the specific IP Attribute, the port range is associated with the specific IP
transport protocol as specified in the IP-Port-Type TLV, but transport protocol as specified in the IP-Port-Type TLV, but
otherwise is for all IP transport protocols. otherwise is for all IP transport protocols.
If the IP-Port-Ext-IPv4-Addr TLV is included as part of the IP-Port- If the IP-Port-Ext-IPv4-Addr TLV is included as part of the IP-Port-
Range Attribute, the port range as specified is associated with IPv4 Range Attribute, the port range as specified is associated with IPv4
address as indicated, but otherwise is for all IPv4 addresses by the address as indicated, but otherwise is for all IPv4 addresses by the
port device (e.g., a CGN device) for the end user. address sharing device (e.g., a CGN device) for the end user.
This attribute can be used to convey a single IP transport port This attribute can be used to convey a single IP transport port
number; in such case the Value of the IP-Port-Range-Start TLV and the number; in such case the Value of the IP-Port-Range-Start TLV and the
IP-Port-Range-End TLV, respectively, contain the same port number. IP-Port-Range-End TLV, respectively, contain the same port number.
The information contained in the IP-Port-Range Attribute is sent to The information contained in the IP-Port-Range Attribute is sent to
RADIUS server. RADIUS server.
The IP-Port-Range Attribute MAY appear in an Accounting-Request The IP-Port-Range Attribute MAY appear in an Accounting-Request
packet. packet.
skipping to change at page 14, line 26 skipping to change at page 14, line 35
1 1
Length Length
6 6
Protocol-Number Protocol-Number
Integer. This field contains the data (unsigned8) of the port Integer. This field contains the data (unsigned8) of the port
number defined in [ProtocolNumbers], right justified, and the number defined in [ProtocolNumbers], right justified, and the
unused bits in this field MUST be set to zero. unused bits in this field MUST be set to zero. Protocols that do
not use a port number (e.g., Resource Reservation Protocol (RSVP),
IP Encapsulating Security Payload (ESP)) MUST NOT be included in
the IP-Port-Type TLV.
IP-Port-Type TLV MAY be included in the following Attributes: IP-Port-Type TLV MAY be included in the following Attributes:
o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see
Section 3.1.1). Section 3.1.1).
o IP-Port-Range Attribute, identified as 241.TBD2.1 (see o IP-Port-Range Attribute, identified as 241.TBD2.1 (see
Section 3.1.2). Section 3.1.2).
When the IP-Port-Type TLV is included within a RADIUS Attribute, the When the IP-Port-Type TLV is included within a RADIUS Attribute, the
skipping to change at page 18, line 10 skipping to change at page 18, line 43
If the internal realm is with IPv6 address family, the IP-Port-Int- If the internal realm is with IPv6 address family, the IP-Port-Int-
IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map
Attribute (refer to Section 3.1.3), identified as 241.TBD3.5. Attribute (refer to Section 3.1.3), identified as 241.TBD3.5.
3.2.6. IP-Port-Int-Port TLV 3.2.6. IP-Port-Int-Port TLV
The format of IP-Port-Int-Port TLV is shown in Figure 9. This The format of IP-Port-Int-Port TLV is shown in Figure 9. This
attribute carries IPFIX Information Element 7, "sourceTransportPort", attribute carries IPFIX Information Element 7, "sourceTransportPort",
which is the source transport number associated with an internal IPv4 which is the source transport number associated with an internal IPv4
or IPv6 address (refer to [IPFIX]). or IPv6 address (refer to [IPFIX]). The attribute is encoded in 32
bits as per the recommendation in Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | sourceTransportPort | TLV-Type | Length | sourceTransportPort
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
sourceTransportPort | sourceTransportPort |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9 Figure 9
skipping to change at page 18, line 45 skipping to change at page 19, line 38
IP-Port-Int-Port TLV MUST be included as part of the IP-Port- IP-Port-Int-Port TLV MUST be included as part of the IP-Port-
Forwarding-Map Attribute (refer to Section 3.1.3), identified as Forwarding-Map Attribute (refer to Section 3.1.3), identified as
241.TBD3.6. 241.TBD3.6.
3.2.7. IP-Port-Ext-Port TLV 3.2.7. IP-Port-Ext-Port TLV
The format of IP-Port-Ext-Port TLV is shown in Figure 10. This The format of IP-Port-Ext-Port TLV is shown in Figure 10. This
attribute carries IPFIX Information Element 227, attribute carries IPFIX Information Element 227,
"postNAPTSourceTransportPort", which is the transport number "postNAPTSourceTransportPort", which is the transport number
associated with an external IPv4 address(refer to [IPFIX]). associated with an external IPv4 address(refer to [IPFIX]). The
attribute is encoded in 32 bits as per the recommendation in
Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | postNAPTSourceTransportPort | TLV-Type | Length | postNAPTSourceTransportPort
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
postNAPTSourceTransportPort | postNAPTSourceTransportPort |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10 Figure 10
skipping to change at page 20, line 50 skipping to change at page 21, line 32
0. 0.
IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range
Attribute (refer to Section 3.1.2), identified as 241.TBD2.8. Attribute (refer to Section 3.1.2), identified as 241.TBD2.8.
3.2.9. IP-Port-Range-Start TLV 3.2.9. IP-Port-Range-Start TLV
The format of IP-Port-Range-Start TLV is shown in Figure 12. This The format of IP-Port-Range-Start TLV is shown in Figure 12. This
attribute carries IPFIX Information Element 361, "portRangeStart", attribute carries IPFIX Information Element 361, "portRangeStart",
which is the smallest port number of a range of contiguous transport which is the smallest port number of a range of contiguous transport
ports (refer to [IPFIX]). ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per
the recommendation in Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | portRangeStart | TLV-Type | Length | portRangeStart
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
portRangeStart | portRangeStart |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12 Figure 12
skipping to change at page 21, line 37 skipping to change at page 22, line 20
zero. zero.
IP-Port-Range-Start TLV is included as part of the IP-Port-Range IP-Port-Range-Start TLV is included as part of the IP-Port-Range
Attribute (refer to Section 3.1.2), identified as 241.TBD2.9. Attribute (refer to Section 3.1.2), identified as 241.TBD2.9.
3.2.10. IP-Port-Range-End TLV 3.2.10. IP-Port-Range-End TLV
The format of IP-Port-Range-End TLV is shown in Figure 13. This The format of IP-Port-Range-End TLV is shown in Figure 13. This
attribute carries IPFIX Information Element 362, "portRangeEnd", attribute carries IPFIX Information Element 362, "portRangeEnd",
which is the largest port number of a range of contiguous transport which is the largest port number of a range of contiguous transport
ports (refer to [IPFIX]). ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per
the recommendation in Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | portRangeEnd | TLV-Type | Length | portRangeEnd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
portRangeEnd | portRangeEnd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13 Figure 13
skipping to change at page 23, line 45 skipping to change at page 24, line 30
the NAS and the RADIUS server is triggered by a user when it signs in the NAS and the RADIUS server is triggered by a user when it signs in
to the Internet service, where either PPP or DHCP/DHCPv6 is used. to the Internet service, where either PPP or DHCP/DHCPv6 is used.
When a user signs in, the NAS sends a RADIUS Access-Request message When a user signs in, the NAS sends a RADIUS Access-Request message
to the RADIUS server. The RADIUS server validates the request, and to the RADIUS server. The RADIUS server validates the request, and
if the validation succeeds, it in turn sends back a RADIUS Access- if the validation succeeds, it in turn sends back a RADIUS Access-
Accept message. The Access-Accept message carries configuration Accept message. The Access-Accept message carries configuration
information specific to that user, back to the NAS, where some of the information specific to that user, back to the NAS, where some of the
information would pass on to the requesting user via PPP or DHCP/ information would pass on to the requesting user via PPP or DHCP/
DHCPv6. DHCPv6.
A CGN function in a broadband network is most likely co-located on a A CGN function in a broadband network is most likely be co-located on
BNG. In that case, parameters for CGN port mapping behavior for a BNG. In that case, parameters for CGN port mapping behavior for
users can be configured on the RADIUS server. When a user signs in users can be configured on the RADIUS server. When a user signs in
to the Internet service, the associated parameters can be conveyed to to the Internet service, the associated parameters can be conveyed to
the NAS, and proper configuration is accomplished on the CGN device the NAS, and proper configuration is accomplished on the CGN device
for that user. for that user.
Also, CGN operation status such as CGN port allocation and Also, CGN operation status such as CGN port allocation and
deallocation for a specific user on the BNG can also be transmitted deallocation for a specific user on the BNG can also be transmitted
back to the RADIUS server for accounting purpose using the RADIUS back to the RADIUS server for accounting purpose using the RADIUS
protocol. protocol.
skipping to change at page 24, line 22 skipping to change at page 25, line 8
specification introduces little overhead to the existing network specification introduces little overhead to the existing network
operation. operation.
In the following sub-sections, we describe how to manage CGN behavior In the following sub-sections, we describe how to manage CGN behavior
using RADIUS protocol, with required RADIUS extensions proposed in using RADIUS protocol, with required RADIUS extensions proposed in
Section 3. Section 3.
4.1.1. Configure IP Port Limit for a User 4.1.1. Configure IP Port Limit for a User
In the face of IPv4 address shortage, there are currently proposals In the face of IPv4 address shortage, there are currently proposals
to multiplex multiple users' connections over a smaller number of to multiplex multiple users' connections over a number of shared IPv4
shared IPv4 addresses, such as Carrier Grade NAT [RFC6888], Dual- addresses, such as Carrier Grade NAT [RFC6888], Dual-Stack Lite
Stack Lite [RFC6333], NAT64 [RFC6146], etc. As a result, a single [RFC6333], NAT64 [RFC6146], etc. As a result, a single IPv4 public
IPv4 public address may be shared by hundreds or even thousands of address may be shared by hundreds or even thousands of users. As
users. As indicated in [RFC6269], it is therefore necessary to indicated in [RFC6269], it is therefore necessary to impose limits on
impose limits on the total number of ports available to an individual the total number of ports available to an individual user to ensure
user to ensure that the shared resource, i.e., the IPv4 address, that the shared resource, i.e., the IPv4 address, remains available
remains available in some capacity to all the users using it. The in some capacity to all the users using it. The support of IP port
support of IP port limit is also documented in [RFC6888] as a limit is also documented in [RFC6888] as a requirement for CGN.
requirement for CGN.
The IP port limit imposed to an end user may be on the total number The IP port limit imposed to an end user may be on the total number
of IP source transport ports, or a specific IP transport protocol as of IP source transport ports, or a specific IP transport protocol as
defined in Section 3.1.1. defined in Section 3.1.1.
The per-user based IP port limit is configured on a RADIUS server, The per-user based IP port limit is configured on a RADIUS server,
along with other user information such as credentials. The value of along with other user information such as credentials.
this IP port limit is based on service agreement and its
specification is out of the scope of this document.
When a user signs in to the Internet service successfully, the IP When a user signs in to the Internet service successfully, the IP
port limit for the subscriber is passed by the RADIUS server to the port limit for the subscriber is passed by the RADIUS server to the
BNG, acting as a NAS and co-located with the CGN, using a new RADIUS BNG, acting as a NAS and co-located with the CGN, using the IP-Port-
attribute called IP-Port-Limit-Info (defined in Section 3.1.1), along Limit-Info RADIUS attribute (defined in Section 3.1.1), along with
with other configuration parameters. While some parameters are other configuration parameters. While some parameters are passed to
passed to the user, the IP port limit is recorded on the CGN device the user, the IP port limit is recorded on the CGN device for
for imposing the usage of IP transport ports for that user. imposing the usage of IP transport ports for that user.
Figure 15 illustrates how RADIUS protocol is used to configure the Figure 15 illustrates how RADIUS protocol is used to configure the
maximum number of TCP/UDP ports for a given user on a NAT44 device. maximum number of TCP/UDP ports for a given user on a CGN device.
User NAT44/NAS AAA User CGN/NAS AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |-----Access-Request -------->| | |-----Access-Request -------->|
| | | | | |
| |<----Access-Accept-----------| | |<----Access-Accept-----------|
| | (IP-Port-Limit-Info) | | | (IP-Port-Limit-Info) |
| | (for TCP/UDP ports) | | | (for TCP/UDP ports) |
|<---Service Granted ------| | |<---Service Granted ------| |
| (other parameters) | | | (other parameters) | |
| | | | | |
| (NAT44 external port | | (CGN external port |
| allocation and | | allocation and |
| IPv4 address assignment) | | IPv4 address assignment) |
| | | | | |
Figure 15: RADIUS Message Flow for Configuring NAT44 Port Limit Figure 15: RADIUS Message Flow for Configuring CGN Port Limit
The IP port limit created on a CGN device for a specific user using The IP port limit created on a CGN device for a specific user using
RADIUS extension may be changed using RADIUS CoA message [RFC5176] RADIUS extension may be changed using RADIUS CoA message [RFC5176]
that carries the same RADIUS attribute. The CoA message may be sent that carries the same RADIUS attribute. The CoA message may be sent
from the RADIUS server directly to the NAS, which once accepts and from the RADIUS server directly to the NAS, which once accepts and
sends back a RADIUS CoA ACK message, the new IP port limit replaces sends back a RADIUS CoA ACK message, the new IP port limit replaces
the previous one. the previous one.
Figure 16 illustrates how RADIUS protocol is used to increase the Figure 16 illustrates how RADIUS protocol is used to increase the
TCP/UDP port limit from 1024 to 2048 on a NAT44 device for a specific TCP/UDP port limit from 1024 to 2048 on a CGN device for a specific
user. user.
User NAT44/NAS AAA User CGN/NAS AAA
| BNG Server | BNG Server
| | | | | |
| TCP/UDP Port Limit (1024) | | TCP/UDP Port Limit (1024) |
| | | | | |
| |<---------CoA Request----------| | |<---------CoA Request----------|
| | (IP-Port-Limit-Info) | | | (IP-Port-Limit-Info) |
| | (for TCP/UDP ports) | | | (for TCP/UDP ports) |
| | | | | |
| TCP/UDP Port Limit (2048) | | TCP/UDP Port Limit (2048) |
| | | | | |
| |---------CoA Response--------->| | |---------CoA Response--------->|
| | | | | |
Figure 16: RADIUS Message Flow for changing a user's NAT44 port limit Figure 16: RADIUS Message Flow for changing a user's CGN port limit
4.1.2. Report IP Port Allocation/Deallocation 4.1.2. Report IP Port Allocation/Deallocation
Upon obtaining the IP port limit for a user, the CGN device needs to Upon obtaining the IP port limit for a user, the CGN device needs to
allocate an IP transport port for the user when receiving a new IP allocate an IP transport port for the user when receiving a new IP
flow sent from that user. flow sent from that user.
As one practice, a CGN may allocate a block of IP ports for a As one practice, a CGN may allocate a block of IP ports for a
specific user, instead of one port at a time, and within each port specific user, instead of one port at a time, and within each port
block, the ports may be randomly distributed or in consecutive block, the ports may be randomly distributed or in consecutive
skipping to change at page 26, line 41 skipping to change at page 27, line 41
with the replacement of the source IP address by the shared IPv4 with the replacement of the source IP address by the shared IPv4
address. address.
A CGN device may decide to "free" a previously assigned set of IP A CGN device may decide to "free" a previously assigned set of IP
ports that have been allocated for a specific user but not currently ports that have been allocated for a specific user but not currently
in use, and with that, the CGN device must send the information of in use, and with that, the CGN device must send the information of
the deallocated IP port range along with the shared IPv4 address to the deallocated IP port range along with the shared IPv4 address to
the RADIUS server. the RADIUS server.
Figure 17 illustrates how RADIUS protocol is used to report a set of Figure 17 illustrates how RADIUS protocol is used to report a set of
ports allocated and deallocated, respectively, by a NAT44 device for ports allocated and deallocated, respectively, by a NAT64 device for
a specific user to the RADIUS server. a specific user to the RADIUS server.
Host NAT44/NAS AAA Host NAT64/NAS AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |-----Access-Request -------->| | |-----Access-Request -------->|
| | | | | |
| |<----Access-Accept-----------| | |<----Access-Accept-----------|
|<---Service Granted ------| | |<---Service Granted ------| |
| (other parameters) | | | (other parameters) | |
... ... ... ... ... ...
| | | | | |
| | | | | |
| (NAT44 decides to allocate | | (NAT64 decides to allocate |
| a TCP/UDP port range for the user) | | a TCP/UDP port range for the user) |
| | | | | |
| |-----Accounting-Request----->| | |-----Accounting-Request----->|
| | (IP-Port-Range | | | (IP-Port-Range |
| | for allocation) | | | for allocation) |
... ... ... ... ... ...
| | | | | |
| (NAT44 decides to deallocate | | (NAT64 decides to deallocate |
| a TCP/UDP port range for the user) | | a TCP/UDP port range for the user) |
| | | | | |
| |-----Accounting-Request----->| | |-----Accounting-Request----->|
| | (IP-Port-Range | | | (IP-Port-Range |
| | for deallocation) | | | for deallocation) |
| | | | | |
Figure 17: RADIUS Message Flow for reporting NAT44 allocation/ Figure 17: RADIUS Message Flow for reporting NAT64 allocation/
deallocation of a port set deallocation of a port set
4.1.3. Configure Forwarding Port Mapping 4.1.3. Configure Forwarding Port Mapping
In most scenarios, the port mapping on a NAT device is dynamically In most scenarios, the port mapping on a NAT device is dynamically
created when the IP packets of an IP connection initiated by a user created when the IP packets of an IP connection initiated by a user
arrives. For some applications, the port mapping needs to be pre- arrives. For some applications, the port mapping needs to be pre-
defined allowing IP packets of applications from outside a CGN device defined allowing IP packets of applications from outside a CGN device
to pass through and "port forwarded" to the correct user located to pass through and "port forwarded" to the correct user located
behind the CGN device. behind the CGN device.
skipping to change at page 28, line 12 skipping to change at page 29, line 12
creating or deleting a mapping along with a rich set of features on a creating or deleting a mapping along with a rich set of features on a
CGN device in dynamic fashion. In some deployment, all users need is CGN device in dynamic fashion. In some deployment, all users need is
a few, typically just one pre-configured port mapping for a few, typically just one pre-configured port mapping for
applications such as web cam at home, and the lifetime of such a port applications such as web cam at home, and the lifetime of such a port
mapping remains valid throughout the duration of the customer's mapping remains valid throughout the duration of the customer's
Internet service connection time. In such an environment, it is Internet service connection time. In such an environment, it is
possible to statically configure a port mapping on the RADIUS server possible to statically configure a port mapping on the RADIUS server
for a user and let the RADIUS protocol to propagate the information for a user and let the RADIUS protocol to propagate the information
to the associated CGN device. to the associated CGN device.
Note that this document targets deployments where a AAA server is
responsible de instructing NAT mappings for a given subscriber and
does not make any assumption about the host's capabilities with
regards to port forwarding control. This deployment is complementary
to PCP given that PCP targets a different deployment model where an
application (on the host) controls its mappings in an upstream CPE,
CGN, firewall, etc.
Figure 18 illustrates how RADIUS protocol is used to configure a Figure 18 illustrates how RADIUS protocol is used to configure a
forwarding port mapping on a NAT44 device by using RADIUS protocol. forwarding port mapping on a NAT44 device by using RADIUS protocol.
Host NAT/NAS AAA Host CGN/NAS AAA
| BNG Server | BNG Server
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |---------Access-Request------->| | |---------Access-Request------->|
| | | | | |
| |<--------Access-Accept---------| | |<--------Access-Accept---------|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
|<---Service Granted ------| | |<---Service Granted ------| |
| (other parameters) | | | (other parameters) | |
skipping to change at page 28, line 42 skipping to change at page 29, line 50
| | | | | |
| | | | | |
| |------Accounting-Request------>| | |------Accounting-Request------>|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
Figure 18: RADIUS Message Flow for configuring a forwarding port Figure 18: RADIUS Message Flow for configuring a forwarding port
mapping mapping
A port forwarding mapping that is created on a CGN device using A port forwarding mapping that is created on a CGN device using
RADIUS extension as described above may also be changed using RADIUS RADIUS extension as described above may also be changed using RADIUS
CoA message [RFC5176] that carries the same RADIUS associate. The CoA message [RFC5176] that carries the same RADIUS association. The
CoA message may be sent from the RADIUS server directly to the NAS, CoA message may be sent from the RADIUS server directly to the NAS,
which once accepts and sends back a RADIUS CoA ACK message, the new which once accepts and sends back a RADIUS CoA ACK message, the new
port forwarding mapping then replaces the previous one. port forwarding mapping then replaces the previous one.
Figure 19 illustrates how RADIUS protocol is used to change an Figure 19 illustrates how RADIUS protocol is used to change an
existing port mapping from (a:X) to (a:Y), where "a" is an internal existing port mapping from (a:X) to (a:Y), where "a" is an internal
port, and "X" and "Y" are external ports, respectively, for a port, and "X" and "Y" are external ports, respectively, for a
specific user with a specific IP address specific user with a specific IP address
Host NAT/NAS AAA
Host CGN/NAS AAA
| BNG Server | BNG Server
| | | | | |
| Internal IP Address | | Internal IP Address |
| Port Map (a:X) | | Port Map (a:X) |
| | | | | |
| |<---------CoA Request----------| | |<---------CoA Request----------|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
| | | | | |
| Internal IP Address | | Internal IP Address |
| Port Map (a:Y) | | Port Map (a:Y) |
skipping to change at page 29, line 26 skipping to change at page 30, line 34
| |---------CoA Response--------->| | |---------CoA Response--------->|
| | (IP-Port-Forwarding-Map) | | | (IP-Port-Forwarding-Map) |
Figure 19: RADIUS Message Flow for changing a user's forwarding port Figure 19: RADIUS Message Flow for changing a user's forwarding port
mapping mapping
4.1.4. An Example 4.1.4. An Example
An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the
user Joe. This number is the limit that can be used for TCP/UDP ports user Joe. This number is the limit that can be used for TCP/UDP ports
on a NAT44 device for Joe, and is configured on a RADIUS server. on a CGN device for Joe, and is configured on a RADIUS server. Also,
Also, Joe asks for a pre-defined port forwarding mapping on the NAT44 Joe asks for a pre-defined port forwarding mapping on the CGN device
device for his web cam applications (external port 5000 maps to for his web cam applications (external port 5000 maps to internal
internal port 80). port 1234).
When Joe successfully connects to the Internet service, the RADIUS When Joe successfully connects to the Internet service, the RADIUS
server conveys the TCP/UDP port limit (1000) and the forwarding port server conveys the TCP/UDP port limit (500) and the forwarding port
mapping (external port 5000 to internal port 80) to the NAT44 device, mapping (external port 5000 to internal port 1234) to the CGN device,
using IP-Port-Limit-Info Attribute and IP-Port-Forwarding-Map using IP-Port-Limit-Info Attribute and IP-Port-Forwarding-Map
attribute, respectively, carried by an Access-Accept message to the attribute, respectively, carried by an Access-Accept message to the
BNG where NAS and CGN co-located. BNG where NAS and CGN co-located.
Upon receiving the first outbound IP packet sent from Joe's laptop, Upon receiving the first outbound IP packet sent from Joe's laptop,
the NAT44 device decides to allocate a small port pool that contains the CGN device decides to allocate a small port pool that contains 40
40 consecutive ports, from 3500 to 3540, inclusively, and also assign consecutive ports, from 3500 to 3540, inclusively, and also assign a
a shared IPv4 address 192.0.2.15, for Joe. The NAT44 device also shared IPv4 address 192.0.2.15, for Joe. The CGN device also randomly
randomly selects one port from the allocated range (say 3519) and use selects one port from the allocated range (say 3519) and use that
that port to replace the original source port in outbound IP packets. port to replace the original source port in outbound IP packets.
For accounting purpose, the NAT44 device passes this port range For accounting purpose, the CGN device passes this port range
(3500-3540) and the shared IPv4 address 192.0.2.15 together to the (3500-3540) and the shared IPv4 address 192.0.2.15 together to the
RADIUS server using IP-Port-Range attribute carried by an Accounting- RADIUS server using IP-Port-Range attribute carried by an Accounting-
Request message. Request message.
When Joe works on more applications with more outbound IP sessions When Joe works on more applications with more outbound IP mappings
and the port pool (3500-3540) is close to exhaust, the NAT44 device and the port pool (3500-3540) is close to exhaust, the CGN device
allocates a second port pool (8500-8800) in a similar fashion, and allocates a second port pool (8500-8800) in a similar fashion, and
also passes the new port range (8500-8800) and IPv4 address also passes the new port range (8500-8800) and IPv4 address
192.0.2.15 together to the RADIUS server using IP-Port-Range 192.0.2.15 together to the RADIUS server using IP-Port-Range
attribute carried by an Accounting-Request message. Note when the attribute carried by an Accounting-Request message. Note when the
CGN allocates more ports, it needs to assure that the total number of CGN allocates more ports, it needs to assure that the total number of
ports allocated for Joe is within the limit. ports allocated for Joe is within the limit.
Joe decides to upgrade his service agreement with more TCP/UDP ports Joe decides to upgrade his service agreement with more TCP/UDP ports
allowed (up to 1000 ports). The ISP updates the information in Joe's allowed (up to 1000 ports). The ISP updates the information in Joe's
profile on the RADIUS server, which then sends a CoA-Request message profile on the RADIUS server, which then sends a CoA-Request message
that carries the IP-Port-Limit-Info Attribute with 1000 ports to the that carries the IP-Port-Limit-Info Attribute with 1000 ports to the
NAT44 device; the NAT44 device in turn sends back a CoA-ACK message. CGN device; the CGN device in turn sends back a CoA-ACK message.
With that, Joe enjoys more available TCP/UDP ports for his With that, Joe enjoys more available TCP/UDP ports for his
applications. applications.
When Joe travels, most of the IP sessions are closed with their When Joe is not using his service, most of the IP mappings are closed
associated TCP/UDP ports released on the NAT44 device, which then with their associated TCP/UDP ports released on the CGN device, which
sends the relevant information back to the RADIUS server using IP- then sends the relevant information back to the RADIUS server using
Port-Range attribute carried by Accounting-Request message. IP-Port-Range attribute carried by Accounting-Request message.
Throughout Joe's connection with his ISP Internet service, Throughout Joe's connection with his ISP Internet service,
applications can communicate with his web cam at home from external applications can communicate with his web cam at home from external
realm directly traversing the pre-configured mapping on the CGN realm directly traversing the pre-configured mapping on the CGN
device. device.
When Joe disconnects from his Internet service, the CGN device will When Joe disconnects from his Internet service, the CGN device will
deallocate all TCP/UDP ports as well as the port-forwarding mapping, deallocate all TCP/UDP ports as well as the port-forwarding mapping,
and send the relevant information to the RADIUS server. and send the relevant information to the RADIUS server.
4.2. Report Assigned Port Set for a Visiting UE 4.2. Report Assigned Port Set for a Visiting UE
Figure 20 illustrates an example of the flow exchange which occurs Figure 20 illustrates an example of the flow exchange which occurs
when a visiting UE connects to a CPE offering WLAN service. when a visiting User Equipment (UE) connects to a CPE offering WLAN
service.
For identification purposes (see [RFC6967]), once the CPE assigns a For identification purposes (see [RFC6967]), once the CPE assigns a
port set, it issues a RADIUS message to report the assigned port set. port set, it issues a RADIUS message to report the assigned port set.
UE CPE NAS AAA UE CPE CGN AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |-----Access-Request -------->| | |-----Access-Request -------->|
| | | | | |
| |<----Access-Accept-----------| | |<----Access-Accept-----------|
|<---Service Granted ------| | |<---Service Granted ------| |
| (other parameters) | | | (other parameters) | |
skipping to change at page 32, line 43 skipping to change at page 33, line 43
address and port range assigned to a given user and which is reported address and port range assigned to a given user and which is reported
in an IP-Port-Range Attribute, etc. The root cause of these attack in an IP-Port-Range Attribute, etc. The root cause of these attack
vectors is the communication between the RADIUS client and server. vectors is the communication between the RADIUS client and server.
The IP-Port-Local-Id TLV includes an identifier of which the type and The IP-Port-Local-Id TLV includes an identifier of which the type and
length is deployment and implementation dependent. This identifier length is deployment and implementation dependent. This identifier
might carry privacy sensitive information. It is therefore might carry privacy sensitive information. It is therefore
RECOMMENDED to utilize identifiers that do not have such privacy RECOMMENDED to utilize identifiers that do not have such privacy
concerns. concerns.
This document targets deployed where a trusted relationship is in This document targets deployments where a trusted relationship is in
place between the RADIUS client and server with communication place between the RADIUS client and server with communication
optionally secured by IPsec or Transport Layer Security (TLS) optionally secured by IPsec or Transport Layer Security (TLS)
[RFC6614]. [RFC6614].
7. IANA Considerations 7. IANA Considerations
This document requires new code point assignments for both IPFIX This document requires new code point assignments for both IPFIX
Information Elements and RADIUS attributes as explained in the Information Elements and RADIUS attributes as explained in the
following sub-sections. following sub-sections.
skipping to change at page 34, line 32 skipping to change at page 35, line 32
8. Acknowledgements 8. Acknowledgements
Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David
Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful
comments and suggestions. comments and suggestions.
Special thanks to Lionel Morand for the Shepherd review and to Special thanks to Lionel Morand for the Shepherd review and to
Kathleen Moriarty for the AD review. Kathleen Moriarty for the AD review.
Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed
review.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-radext-datatypes] [I-D.ietf-radext-datatypes]
DeKok, A., "Data Types in the Remote Authentication Dial- DeKok, A., "Data Types in the Remote Authentication Dial-
In User Service Protocol (RADIUS)", draft-ietf-radext- In User Service Protocol (RADIUS)", draft-ietf-radext-
datatypes-07 (work in progress), August 2016. datatypes-07 (work in progress), August 2016.
[IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities",
<http://www.iana.org/assignments/ipfix/ipfix.xhtml>. <http://www.iana.org/assignments/ipfix/ipfix.xhtml>.
[ProtocolNumbers] [ProtocolNumbers]
IANA, "Service Name and Transport Protocol Port Number", IANA, "Protocol Numbers",
<http://www.iana.org/assignments/protocol-numbers/ <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
skipping to change at page 36, line 20 skipping to change at page 37, line 25
Aboba, "Dynamic Authorization Extensions to Remote Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176, Authentication Dial In User Service (RADIUS)", RFC 5176,
DOI 10.17487/RFC5176, January 2008, DOI 10.17487/RFC5176, January 2008,
<http://www.rfc-editor.org/info/rfc5176>. <http://www.rfc-editor.org/info/rfc5176>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <http://www.rfc-editor.org/info/rfc6146>. April 2011, <http://www.rfc-editor.org/info/rfc6146>.
[RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines",
BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011,
<http://www.rfc-editor.org/info/rfc6158>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<http://www.rfc-editor.org/info/rfc6269>. <http://www.rfc-editor.org/info/rfc6269>.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Stack Lite Broadband Deployments Following IPv4 Stack Lite Broadband Deployments Following IPv4
Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011,
<http://www.rfc-editor.org/info/rfc6333>. <http://www.rfc-editor.org/info/rfc6333>.
 End of changes. 72 change blocks. 
134 lines changed or deleted 164 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/