Embed Size (px)
Citation preview
DS-lite update
Draft-ietf-softwire-dual-stack-lite-01.txt
Yiu Lee
IETF 75
Change from 00 to 01
• Port allocation discussion
• Added more discussion for MTU
• Added more discussion for security
• New co-authors: Yiu Lee Randy Bush
2
Port Allocation Methods• Automatic Port Assignment
• Static Reservation A+P with User-Controlled ALG Port forwarding
• Dynamic Port Reservation
3
Port Assignment• DS-lite port assignment is modeled on what exists today in
the NAT home gateway:
① Automatic port assignment by the NAT
② Static configuration via NAT web interface
③ UPnP/NAT-PMP dynamic port reservation
4
1 - Automatic Port Assignment• Applies to flows initiated by host behind DS-lite
• CGN will perform standard NAT-44 after de-capsulating the IPv6 header.
• CGN creates this NAT-binding dynamically and will expire it if there are no datagrams flowing for a timeout interval. This timeout interval should be short enough to
maximize the port utilization and long enough not to disrupt applications.
5
2 - Static Port Reservation (user driven)• Service Provider will assign a
(small) number of ports to be directly under the the control of customers.
The method to distribute them can be out-of-band
– eg: ISP portal
• This enables inbound connections
• User can configure the static port forwarding policy of the CGN to specify 2 possible behavior:
A+P Port forwarding
6
ISP portalAddress & port control tab
External IPv4 address: 1.2.3.4
Port A+P Port forwarding Internal IP Port
3000
3001
3002
3003
3004
…
x
x
x
x
x
192.168.1.5
192.168.1.6
80
5080
User: foo
2.1 A+P with User-Controlled ALG
• User A is assigned port 3000 on public IP 1.2.3.4.
• User has a server application that requires an ALG
• In CGN, User A provisions anA+P rule:
1.2.3.4:3000 prr User A-gw
• User-A gateway performs the ALG and NAT/forward to internal host 192.168.1.7
7
CGN
A+P Homegateway
PC
A+P
No NAT
NAT to192.168.1.7Port 3000s
Dst: 1.2.3.4Port 3000
192.168.1.7Port 3000
ALG
prr1.2.3.4:3000to User A-gw
Out-of-band3-party
configuration
User
2 .2 Port Forwarding
• User A is assigned port 3001 on public IP 1.2.3.4
• URL redirection: www.myurl.example.com -> www.myrealurl.example.com:3001
• In CGN, User-A provisions a port forwarding rule:
1.2.3.4:3001 nat 192.168.1.5:80
• 192.168.1.5 is a web server running behind the DS-lite home gateway.
8
CGN
Homegateway
PC
Portforwarding
NAT to192.168.1.5
Port 80
192.168.1.6Port 80
Dst: 1.2.3.4Port 3001
Out-of-band2-party
configuration
User
3 - Dynamic Port Reservation (application driven) • Many applications today
rely on UPnP and/or NAT-PMP to signal they need to reserve ports.
• Preserve the same semantic: the home gateway becomes a UPnP/NAT-PMP proxy to the CGN.
• NAT-PNP semantic is more appropriate than UPnP
Returns “port X not available, use port Y instead”
9
CGN
Homegateway
PC
NAT-PMPPort X?
X not available,Use Y
NAT-PMPPort X?
X not available,Use Y
NAT-PMPproxy
Applicationsignaling
No userconfiguration
Gatewaysignaling
Issues with MTU
10
CGNHomegatewayPC IPv4 Internet
MTU 1500 MTU 1500MTU 1460
pMTU discovery does NOT work over the tunnel
IPv4 fragmentation needs to be avoided
MTU• General Rules in RFC2473 for Tunnel Entry-Point :
If the packet is over the MTU size after encapsulation and IPv4 DF bit is clear
– The Entry-Point node will fragment the oversized IPv6 packet into two IPv6 packets and forward to the tunnel exit point.
If the packet is over the MTU size after encapsulation and IPv4 DF bit is set
– The Entry-Point node will drop the packet and send ICMPv6 Packet Too Big Msg to the sender.
11
Fragmentation and CGN• From Internet to DS-lite client:
CGN will fragment the oversize IPv6 packet and forward to the tunnel immediately. This is fast and light-weight.
• From DS-lite to Internet This requires the CGN to wait for the fragmented
datagrams and re-assemble them for de-capsulation. CGN will need to maintain memory buffers for fragmented datagrams. This could have significant impact to CGN performance.
• Good News Most DS-lite clients receive traffic (watching video).
rather than sourcing traffic (streaming video).
12
Optimization• In the draft, we suggest an optimization for TCP traffic
During TCP the 3-way handshake process, CGN will lower the MSS option value to (MTU – tunnel overhead) in SYN and SYN-ACK.
• This optimization is used to ensure the TCP client and server will send smaller datagram so that the size of the encapsulated datagram won’t go beyond the MTU size. Hence, fragmentation won’t occur.
• Issue: TCP-AO
13
CGNHomegatewayPC IPv4 Internet
MSS 1460 MSS 1420MSS 1460
Discussion Item• Do we want to relax RFC2473 and fragment the datagram
although DF bit is set?
The argument is that fragmentation happens at the link layer. The tunnel end-point will re-assemble the datagram before de-capsulating.
Will allow system to work in case pMTU is broken
RFC2460 already says “On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.”
14
CGN Security• 2 layers of ACL for packets coming out of the tunnel:
Outer header ACL– Authorized clients only
Inner header ACL– CGN only forward datagrams coming from authorized
IP address range and transport port. RFC1918 IANA address A+P
– Other unauthorized datagrams will be dropped.
15
ACL Discussions• IPv6 ACL
CGN applies ACL at the IPv6 address before de-capsulation. Eg., CGN serves the known client IPv6 prefixes but drops others.
• IPv4 ACL for RFC1918 + IANA Reserved DS-lite Prefix CGN examines the inner IPv4 header. If the source address is RFC1918
and IANA Reserved DS-lite Prefix, CGN will NAT the datagram and forward it. If not, the datagram is dropped.
This ACL is simple and rarely changed.
• A+P ACL CGN will examine the inner IPv4 header. If the source address and is
authorized A+P address range, CGN will forward the datagram. This policy is needed to be updated when the A+P address range is
added, deleted or modified. Besides, each CGN may serve different A+P ranges, so each CGN may have different A+P ACL.
16
Other security issues
• The Internet community needs to deal with Web sites that put IPv4 addresses in penalty box after a number of unsuccessful login attempts.
• More generally, the community needs to revisit notion that an IPv4 address uniquely identifies a customer.
17
Next steps?
• Working group last call?
18
