Presentation is loading. Please wait.

Presentation is loading. Please wait.

DS-lite update Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee IETF 75.

Similar presentations

Presentation on theme: "DS-lite update Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee IETF 75."— Presentation transcript:

1 DS-lite update Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee IETF 75

2 Change from 00 to 01 Port allocation discussion Added more discussion for MTU Added more discussion for security New co-authors: Yiu Lee Randy Bush 2

3 Port Allocation Methods Automatic Port Assignment Static Reservation A+P with User-Controlled ALG Port forwarding Dynamic Port Reservation 3

4 Port Assignment DS-lite port assignment is modeled on what exists today in the NAT home gateway: Automatic port assignment by the NAT Static configuration via NAT web interface UPnP/NAT-PMP dynamic port reservation 4

5 1 - Automatic Port Assignment Applies to flows initiated by host behind DS-lite CGN will perform standard NAT-44 after de-capsulating the IPv6 header. CGN creates this NAT-binding dynamically and will expire it if there are no datagrams flowing for a timeout interval. This timeout interval should be short enough to maximize the port utilization and long enough not to disrupt applications. 5

6 2 - Static Port Reservation (user driven) Service Provider will assign a (small) number of ports to be directly under the the control of customers. The method to distribute them can be out-of-band –eg: ISP portal This enables inbound connections User can configure the static port forwarding policy of the CGN to specify 2 possible behavior: A+P Port forwarding 6 ISP portal Address & port control tab External IPv4 address: Port A+P Port forwarding Internal IP Port … x x x x x User: foo

7 2.1 A+P with User-Controlled ALG User A is assigned port 3000 on public IP User has a server application that requires an ALG In CGN, User A provisions an A+P rule: :3000 prr User A-gw User-A gateway performs the ALG and NAT/forward to internal host CGN A+P Home gateway PC A+P No NAT NAT to Port 3000s Dst: Port Port 3000 ALG prr :3000 to User A-gw Out-of-band 3-party configuration User

8 2.2 Port Forwarding User A is assigned port 3001 on public IP URL redirection: -> 1 In CGN, User-A provisions a port forwarding rule: :3001 nat : is a web server running behind the DS-lite home gateway. 8 CGN Home gateway PC Port forwarding NAT to Port Port 80 Dst: Port 3001 Out-of-band 2-party configuration User

9 3 - Dynamic Port Reservation (application driven) Many applications today rely on UPnP and/or NAT- PMP to signal they need to reserve ports. Preserve the same semantic: the home gateway becomes a UPnP/NAT-PMP proxy to the CGN. NAT-PNP semantic is more appropriate than UPnP Returns port X not available, use port Y instead 9 CGN Home gateway PC NAT-PMP Port X? X not available, Use Y NAT-PMP Port X? X not available, Use Y NAT-PMP proxy Application signaling No user configuration Gateway signaling

10 Issues with MTU 10 CGN Home gateway PCIPv4 Internet MTU 1500 MTU 1460 pMTU discovery does NOT work over the tunnel IPv4 fragmentation needs to be avoided

11 MTU General Rules in RFC2473 for Tunnel Entry-Point : If the packet is over the MTU size after encapsulation and IPv4 DF bit is clear –The Entry-Point node will fragment the oversized IPv6 packet into two IPv6 packets and forward to the tunnel exit point. If the packet is over the MTU size after encapsulation and IPv4 DF bit is set –The Entry-Point node will drop the packet and send ICMPv6 Packet Too Big Msg to the sender. 11

12 Fragmentation and CGN From Internet to DS-lite client: CGN will fragment the oversize IPv6 packet and forward to the tunnel immediately. This is fast and light-weight. From DS-lite to Internet This requires the CGN to wait for the fragmented datagrams and re-assemble them for de-capsulation. CGN will need to maintain memory buffers for fragmented datagrams. This could have significant impact to CGN performance. Good News Most DS-lite clients receive traffic (watching video). rather than sourcing traffic (streaming video). 12

13 Optimization In the draft, we suggest an optimization for TCP traffic During TCP the 3-way handshake process, CGN will lower the MSS option value to (MTU – tunnel overhead) in SYN and SYN-ACK. This optimization is used to ensure the TCP client and server will send smaller datagram so that the size of the encapsulated datagram wont go beyond the MTU size. Hence, fragmentation wont occur. Issue: TCP-AO 13 CGN Home gateway PCIPv4 Internet MSS 1460 MSS 1420MSS 1460

14 Discussion Item Do we want to relax RFC2473 and fragment the datagram although DF bit is set? The argument is that fragmentation happens at the link layer. The tunnel end-point will re-assemble the datagram before de-capsulating. Will allow system to work in case pMTU is broken RFC2460 already says On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6. 14

15 CGN Security 2 layers of ACL for packets coming out of the tunnel: Outer header ACL –Authorized clients only Inner header ACL –CGN only forward datagrams coming from authorized IP address range and transport port. RFC1918 IANA address A+P –Other unauthorized datagrams will be dropped. 15

16 ACL Discussions IPv6 ACL CGN applies ACL at the IPv6 address before de-capsulation. Eg., CGN serves the known client IPv6 prefixes but drops others. IPv4 ACL for RFC IANA Reserved DS-lite Prefix CGN examines the inner IPv4 header. If the source address is RFC1918 and IANA Reserved DS-lite Prefix, CGN will NAT the datagram and forward it. If not, the datagram is dropped. This ACL is simple and rarely changed. A+P ACL CGN will examine the inner IPv4 header. If the source address and is authorized A+P address range, CGN will forward the datagram. This policy is needed to be updated when the A+P address range is added, deleted or modified. Besides, each CGN may serve different A+P ranges, so each CGN may have different A+P ACL. 16

17 Other security issues The Internet community needs to deal with Web sites that put IPv4 addresses in penalty box after a number of unsuccessful login attempts. More generally, the community needs to revisit notion that an IPv4 address uniquely identifies a customer. 17

18 Next steps? Working group last call? 18

Download ppt "DS-lite update Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee IETF 75."

Similar presentations

Ads by Google