DS-lite update Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee IETF 75 Change from 00 to 01 • Port allocation discussion • Added more discussion for MTU • Added more discussion for security • New co-authors: Yiu Lee Randy Bush 2 Port Allocation Methods • Automatic Port Assignment • Static Reservation • 3 A+P with User-Controlled ALG Port forwarding Dynamic Port Reservation Port Assignment • DS-lite port assignment is modeled on what exists today in the NAT home gateway: ① Automatic port assignment by the NAT ② Static configuration via NAT web interface ③ UPnP/NAT-PMP dynamic port reservation 4 1 - Automatic Port Assignment • Applies to flows initiated by host behind DS-lite • CGN will perform standard NAT-44 after de-capsulating the IPv6 header. • CGN creates this NAT-binding dynamically and will expire it if there are no datagrams flowing for a timeout interval. This timeout interval should be short enough to maximize the port utilization and long enough not to disrupt applications. 5 2 - Static Port Reservation (user driven) • Service Provider will assign a (small) number of ports to be directly under the the control of customers. The method to distribute them can be out-of-band – eg: ISP portal • This enables inbound connections • User can configure the static port forwarding policy of the CGN to specify 2 possible behavior: A+P Port forwarding 6 ISP portal Address & port control tab User: foo External IPv4 address: 1.2.3.4 Port A+P 3000 x Port forwarding Internal IP Port 3001 x 192.168.1.5 80 3002 x 192.168.1.6 5080 3003 x 3004 x … 2.1 A+P with User-Controlled ALG Dst: 1.2.3.4 Port 3000 • User A is assigned port 3000 on A+P public IP 1.2.3.4. • User has a server application that CGN requires an ALG • In CGN, User A provisions an A+P rule: 1.2.3.4:3000 prr User A-gw • User-A gateway performs the ALG and NAT/forward to internal host 192.168.1.7 7 prr 1.2.3.4:3000 to User A-gw No NAT ALG A+P Home gateway NAT to 192.168.1.7 Port 3000s PC Out-of-band 3-party configuration User 192.168.1.7 Port 3000 2 .2 Port Forwarding Dst: 1.2.3.4 Port 3001 • User A is assigned port 3001 on Port forwarding public IP 1.2.3.4 • URL redirection: www.myurl.example.com -> www.myrealurl.example.com:300 1 • In CGN, User-A provisions a port forwarding rule: 1.2.3.4:3001 nat 192.168.1.5:80 • 192.168.1.5 is a web server running behind the DS-lite home gateway. 8 CGN NAT to 192.168.1.5 Port 80 Out-of-band 2-party configuration Home gateway PC User 192.168.1.6 Port 80 3 - Dynamic Port Reservation (application driven) • Many applications today • • rely on UPnP and/or NATPMP to signal they need to reserve ports. Preserve the same semantic: the home gateway becomes a UPnP/NAT-PMP proxy to the CGN. NAT-PNP semantic is more appropriate than UPnP Returns “port X not available, use port Y instead” 9 CGN NAT-PMP Port X? X not available, Use Y Gateway signaling X not available, Use Y NAT-PMP Port X? Application signaling NAT-PMP proxy Home gateway PC No user configuration Issues with MTU MTU 1500 PC MTU 1460 Home gateway MTU 1500 CGN IPv4 Internet pMTU discovery does NOT work over the tunnel IPv4 fragmentation needs to be avoided 10 MTU • General Rules in RFC2473 for Tunnel Entry-Point : If the packet is over the MTU size after encapsulation and IPv4 DF bit is clear – The Entry-Point node will fragment the oversized IPv6 packet into two IPv6 packets and forward to the tunnel exit point. If the packet is over the MTU size after encapsulation and IPv4 DF bit is set – The Entry-Point node will drop the packet and send ICMPv6 Packet Too Big Msg to the sender. 11 Fragmentation and CGN • From Internet to DS-lite client: CGN will fragment the oversize IPv6 packet and forward to the tunnel immediately. This is fast and light-weight. • From DS-lite to Internet This requires the CGN to wait for the fragmented datagrams and re-assemble them for de-capsulation. CGN will need to maintain memory buffers for fragmented datagrams. This could have significant impact to CGN performance. • Good News Most DS-lite clients receive traffic (watching video). rather than sourcing traffic (streaming video). 12 Optimization • In the draft, we suggest an optimization for TCP traffic During TCP the 3-way handshake process, CGN will lower the MSS option value to (MTU – tunnel overhead) in SYN and SYN-ACK. • This optimization is used to ensure the TCP client and server will send smaller datagram so that the size of the encapsulated datagram won’t go beyond the MTU size. Hence, fragmentation won’t occur. • Issue: TCP-AO MSS 1460 PC 13 MSS 1460 Home gateway MSS 1420 CGN IPv4 Internet Discussion Item • Do we want to relax RFC2473 and fragment the datagram although DF bit is set? The argument is that fragmentation happens at the link layer. The tunnel end-point will re-assemble the datagram before de-capsulating. Will allow system to work in case pMTU is broken RFC2460 already says “On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.” 14 CGN Security • 2 layers of ACL for packets coming out of the tunnel: Outer header ACL – Authorized clients only Inner header ACL – CGN only forward datagrams coming from authorized IP address range and transport port. RFC1918 IANA address A+P – Other unauthorized datagrams will be dropped. 15 ACL Discussions • IPv6 ACL CGN applies ACL at the IPv6 address before de-capsulation. Eg., CGN serves the known client IPv6 prefixes but drops others. • IPv4 ACL for RFC1918 + IANA Reserved DS-lite Prefix CGN examines the inner IPv4 header. If the source address is RFC1918 and IANA Reserved DS-lite Prefix, CGN will NAT the datagram and forward it. If not, the datagram is dropped. This ACL is simple and rarely changed. • A+P ACL CGN will examine the inner IPv4 header. If the source address and is authorized A+P address range, CGN will forward the datagram. This policy is needed to be updated when the A+P address range is added, deleted or modified. Besides, each CGN may serve different A+P ranges, so each CGN may have different A+P ACL. 16 Other security issues • The Internet community needs to deal with Web sites that put IPv4 addresses in penalty box after a number of unsuccessful login attempts. • More generally, the community needs to revisit notion that an IPv4 address uniquely identifies a customer. 17 Next steps? • Working group last call? 18
© Copyright 2026 Paperzz