Port Restricted IP Address Assignment - - PowerPoint PPT Presentation

1

Port Restricted IP Address Assignment

draft-bajko-v6ops-port-restricted-ipaddr-assign

Gabor Bajko (Nokia) Teemu Savolainen (Nokia) Softwires WG meeting @ IETF#73

2

Intended usage scenarios

Managed and tightly controlled networks

• Generally for networks where host support for specific features can be

mandated – e.g. via requirements or certification

• Cellular networks in particular, where large number of hosts need simple

IPv4 connectivity for few applications and which are increasingly always-on IP connected

Intended to be mainly used on point-to-point

• Physical access links (L2): e.g. 3GPP IPv4 EPS bearer, WMF IPv4 CS
• IPv4-over-IPv6 tunneled access links (L3):

Over: IPv6 clouds, IPv6 PPP, IPv6 EPS bearer, etc.

Usage to be restricted to avoid interference with current

internet connectivity practices

On demand allocation at DHCP request time

3

Physical point-to-point links with or w/o IPv6

: large n : hosts a

DS I nt ernet Border Rout er

net work core

Gat eway

DHCP server with pool of public IPv4 addresses for allocation as port restricted addresses. Network pow full IPv4 addresses are always routed to Gateway (that then multiplexes to hosts) Point-to-Point links where DHCP is used over L2

• IPv4-only
• Native Dual-stack

e.g. 1) 3GPP IPv4 or DS type of EPS bearer 2) WiMAX IPv4 CS or Ethernet CS

4

Tunneled point-to-point IPv4-over-IPv6 links

: large n : hosts a

DS I nt ernet Border Rout er

net work core

Gat eway Tunnel Endpoint Gat eway

IPv4-over-IPv6 tunnels on IPv6-only point-to-point links, e.g. 3GPP IPv6 type of EPS bearer, or WiMAX IPv6 CS Transparent for Gateway DHCP server with pool of public IPv4 addresses for allocation as port restricted addresses. Network pow full IPv4 addresses are always routed to Gateway (that then multiplexes to hosts)

5

About gateway functionality

Gateway has a pool of public IPv4 addresses Gateway can also act as a NAT for legacy hosts

(CGN)

Gateway allocates port-restricted IPv4 addresses

and multiplexes based on ports

Same stands for both first hop Gateway and

Tunnel Endpoint Gateway

Gateway handles fragments (multiplexing needs

the port information)

6

Gateway multiplexing tables

For physical link scenario

Point-to-point link Public address + port range Link 1 129.0.0.1 / 5000-5999 Link 2 129.0.0.1 / 6000-6999

For IPv4-over-IPv6 tunneled link scenario with DS-Lite

Point-to-point tunnel Public address + port (range) Softwire 1/10.0.0.1/TCP 10000 129.0.0.1 / TCP 5000 Softwire 2 129.0.0.1 / 6000-6999

The same table for both translation and tunnel

multiplexing

7

CGN allocating port-restricted IPv4 addresses in DS-Lite environment

IPv6 Intranet IPv6 Intranet IPv6 Internet IPv6 Internet v4v6 DS v4v6 DS v4-

• nly

v4-

• nly

192.168.0.1 192.168.0.1 192.0.2.1:6000-6999

Illustrative mappings on C GN: Internal External _ (2002:1::1 * 192.168.0.1:5555) 192.0.2.1:1234 (2002:2::2 * 192.168.0.1:5555) 192.0.2.1:1235 (2002:3::3)

192.0.2.1:6000-6999

192.0.2.1 IPv6 address:

anycast, provisioned, via DHC Pv6 option, RA…

2002:1::1 2002:2::2 2002:3::3

Tunneling C PE Tunneling C PE

Updated device connected directly to Internet

C GN

Legacy IPv4 device Legacy IPv4 device

IPv4 Internet IPv4 Internet

I P v 4

• v

e r

• I

P v 6 Tunnel Endpoint Gatew ay NAT

4

x1 Y2

8

Port-restricted IPv4 addresses and DS-Lite coexistence

DS-Lite CGN to support port-restricted IPv4 address allocation

• Enables benefits for modified hosts (NAT-less functionality)
• Decreases CGN load
• Enables more customer control if NAT is in host/CPE instead of CGN

Port multiplexing efficiency as a configurable parameter:

• When 0 ports are configured available for static reservation by hosts =>

CGN-only functionality

• When 64k ports configured available for static reservation => basically

dynamic IPv4-over-IPv6 tunneling solution

If the allocated port-range for hosts is very small, hosts could utilize

port-restricted addresses and CGN in parallel:

• Class of applications would utilize CGN, e.g. HTTP applications with

significant but short-lived port usage

• Class of always-on applications could utilize port-restricted IP

addresses to avoid NAT keep-alives and for P2P communication (e.g. VoIP)

9

NAT in a Host

Port-Restricted IP address can be hidden from

the users/applications by implementing an internal NAT

Looks just the same as NAT in CPE or CGN

Provides a distributed NAT functionality, with the

NAT functionality moved from the network to the end host

+ Allows of local optimizations for NAT

traversal

+ Continued support for NAT control protocols

10

Host and Network behavior

Host includes new DHCP option (OPTION-IPv4-RPR) to

indicate capability for port-restricted IP addresses

On reception of OPTION-IPv4-RPR DHCP server may

• ffer OPTION-IPv4-OPR and set ‘yiaddr’ as ‘0.0.0.0’ to

ensure client does not configure full IP address:

On absence of OPTION-IPv4-RPR server shall allocate

full public/private IP address, or as last resort force OPTION-IPv4-OPR for client

11

Next steps

Analyze issues with protocols not using port

numbers, such as certain ICMP messages

Some firewalls disallow ICMP passage already today,

so what is the damage caused by not supporting messages such as ICMP echo as messages such as ICMP errors would continue to work?

Discuss topic on behave and softwires WGs Seek synergies with other proposals such as

Dual-Stack Lite