Presentation on theme: "Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee"— Presentation transcript:
1Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee DS-lite updateDraft-ietf-softwire-dual-stack-lite-01.txtYiu LeeIETF 75
2Change from 00 to 01 Port allocation discussion Added more discussion for MTUAdded more discussion for securityNew co-authors:Yiu LeeRandy Bush
3Port Allocation Methods Automatic Port AssignmentStatic ReservationA+P with User-Controlled ALGPort forwardingDynamic Port Reservation
4Port AssignmentDS-lite port assignment is modeled on what exists today in the NAT home gateway:Automatic port assignment by the NATStatic configuration via NAT web interfaceUPnP/NAT-PMP dynamic port reservation
51 - Automatic Port Assignment Applies to flows initiated by host behind DS-liteCGN will perform standard NAT-44 after de-capsulating the IPv6 header.CGN creates this NAT-binding dynamically and will expire it if there are no datagrams flowing for a timeout interval.This timeout interval should be short enough to maximize the port utilization and long enough not to disrupt applications.
62 - Static Port Reservation (user driven) ISP portalService Provider will assign a (small) number of ports to be directly under the the control of customers.The method to distribute them can be out-of-bandeg: ISP portalThis enables inbound connectionsUser can configure the static port forwarding policy of the CGN to specify 2 possible behavior:A+PPort forwardingAddress & port control tabUser: fooExternal IPv4 address:Port A+P Port forwarding Internal IP Port30003001300230033004…xx80x5080xx
72.1 A+P with User-Controlled ALG Dst:Port 3000User A is assigned port 3000 on public IPUser has a server application that requires an ALGIn CGN, User A provisions an A+P rule::3000 prr User A-gwUser-A gateway performs the ALG and NAT/forward to internal hostA+PCGNprr:3000to User A-gwNo NATOut-of-band 3-partyconfigurationA+P Home gatewayALGNAT toPort 3000sPCUserPort 3000
82 .2 Port Forwarding User A is assigned port 3001 on public IP 126.96.36.199 Dst:Port 3001User A is assigned port 3001 on public IPURL redirection: ->In CGN, User-A provisions a port forwarding rule::3001 nat :80is a web server running behind the DS-lite home gateway.Port forwardingCGNNAT toPort 80Out-of-band2-partyconfigurationHome gatewayPCUserPort 80
93 - Dynamic Port Reservation (application driven) Many applications today rely on UPnP and/or NAT-PMP to signal they need to reserve ports.Preserve the same semantic: the home gateway becomes a UPnP/NAT-PMP proxy to the CGN.NAT-PNP semantic is more appropriate than UPnPReturns “port X not available, use port Y instead”CGNNAT-PMPPort X?X not available,Use YGatewaysignalingHome gatewayNAT-PMPproxyNAT-PMPPort X?X not available,Use YApplicationsignalingPCNo userconfiguration
10Issues with MTU pMTU discovery does NOT work over the tunnel Home gatewayPCCGNIPv4 InternetpMTU discovery does NOT work over the tunnelIPv4 fragmentation needs to be avoided
11MTU General Rules in RFC2473 for Tunnel Entry-Point : If the packet is over the MTU size after encapsulation and IPv4 DF bit is clearThe Entry-Point node will fragment the oversized IPv6 packet into two IPv6 packets and forward to the tunnel exit point.If the packet is over the MTU size after encapsulation and IPv4 DF bit is setThe Entry-Point node will drop the packet and send ICMPv6 Packet Too Big Msg to the sender.
12Fragmentation and CGN From Internet to DS-lite client: CGN will fragment the oversize IPv6 packet and forward to the tunnel immediately. This is fast and light-weight.From DS-lite to InternetThis requires the CGN to wait for the fragmented datagrams and re-assemble them for de-capsulation. CGN will need to maintain memory buffers for fragmented datagrams. This could have significant impact to CGN performance.Good NewsMost DS-lite clients receive traffic (watching video). rather than sourcing traffic (streaming video).
13Optimization In the draft, we suggest an optimization for TCP traffic During TCP the 3-way handshake process, CGN will lower the MSS option value to (MTU – tunnel overhead) in SYN and SYN-ACK.This optimization is used to ensure the TCP client and server will send smaller datagram so that the size of the encapsulated datagram won’t go beyond the MTU size. Hence, fragmentation won’t occur.Issue: TCP-AOMSS 1460MSS 1460MSS 1420Home gatewayPCCGNIPv4 Internet
14Discussion ItemDo we want to relax RFC2473 and fragment the datagram although DF bit is set?The argument is that fragmentation happens at the link layer. The tunnel end-point will re-assemble the datagram before de-capsulating.Will allow system to work in case pMTU is brokenRFC2460 already says “On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.”
15CGN Security 2 layers of ACL for packets coming out of the tunnel: Outer header ACLAuthorized clients onlyInner header ACLCGN only forward datagrams coming from authorized IP address range and transport port.RFC1918IANA addressA+POther unauthorized datagrams will be dropped.
16ACL Discussions IPv6 ACL CGN applies ACL at the IPv6 address before de-capsulation. Eg., CGN serves the known client IPv6 prefixes but drops others.IPv4 ACL for RFC IANA Reserved DS-lite PrefixCGN examines the inner IPv4 header. If the source address is RFC1918 and IANA Reserved DS-lite Prefix, CGN will NAT the datagram and forward it. If not, the datagram is dropped.This ACL is simple and rarely changed.A+P ACLCGN will examine the inner IPv4 header. If the source address and is authorized A+P address range, CGN will forward the datagram.This policy is needed to be updated when the A+P address range is added, deleted or modified. Besides, each CGN may serve different A+P ranges, so each CGN may have different A+P ACL.
17Other security issuesThe Internet community needs to deal with Web sites that put IPv4 addresses in penalty box after a number of unsuccessful login attempts.More generally, the community needs to revisit notion that an IPv4 address uniquely identifies a customer.