Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee

Similar presentations

Presentation on theme: "Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee"— Presentation transcript:

1 Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee
DS-lite update Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee IETF 75

2 Change from 00 to 01 Port allocation discussion
Added more discussion for MTU Added more discussion for security New co-authors: Yiu Lee Randy Bush

3 Port Allocation Methods
Automatic Port Assignment Static Reservation A+P with User-Controlled ALG Port forwarding Dynamic Port Reservation

4 Port Assignment DS-lite port assignment is modeled on what exists today in the NAT home gateway: Automatic port assignment by the NAT Static configuration via NAT web interface UPnP/NAT-PMP dynamic port reservation

5 1 - Automatic Port Assignment
Applies to flows initiated by host behind DS-lite CGN will perform standard NAT-44 after de-capsulating the IPv6 header. CGN creates this NAT-binding dynamically and will expire it if there are no datagrams flowing for a timeout interval. This timeout interval should be short enough to maximize the port utilization and long enough not to disrupt applications.

6 2 - Static Port Reservation (user driven)
ISP portal Service Provider will assign a (small) number of ports to be directly under the the control of customers. The method to distribute them can be out-of-band eg: ISP portal This enables inbound connections User can configure the static port forwarding policy of the CGN to specify 2 possible behavior: A+P Port forwarding Address & port control tab User: foo External IPv4 address: Port A+P Port forwarding Internal IP Port 3000 3001 3002 3003 3004 x x 80 x 5080 x x

7 2.1 A+P with User-Controlled ALG
Dst: Port 3000 User A is assigned port 3000 on public IP User has a server application that requires an ALG In CGN, User A provisions an A+P rule: :3000 prr User A-gw User-A gateway performs the ALG and NAT/forward to internal host A+P CGN prr :3000 to User A-gw No NAT Out-of-band 3-party configuration A+P Home gateway ALG NAT to Port 3000s PC User Port 3000

8 2 .2 Port Forwarding User A is assigned port 3001 on public IP
Dst: Port 3001 User A is assigned port 3001 on public IP URL redirection: -> In CGN, User-A provisions a port forwarding rule: :3001 nat :80 is a web server running behind the DS-lite home gateway. Port forwarding CGN NAT to Port 80 Out-of-band 2-party configuration Home gateway PC User Port 80

9 3 - Dynamic Port Reservation (application driven)
Many applications today rely on UPnP and/or NAT-PMP to signal they need to reserve ports. Preserve the same semantic: the home gateway becomes a UPnP/NAT-PMP proxy to the CGN. NAT-PNP semantic is more appropriate than UPnP Returns “port X not available, use port Y instead” CGN NAT-PMP Port X? X not available, Use Y Gateway signaling Home gateway NAT-PMP proxy NAT-PMP Port X? X not available, Use Y Application signaling PC No user configuration

10 Issues with MTU pMTU discovery does NOT work over the tunnel
Home gateway PC CGN IPv4 Internet pMTU discovery does NOT work over the tunnel IPv4 fragmentation needs to be avoided

11 MTU General Rules in RFC2473 for Tunnel Entry-Point :
If the packet is over the MTU size after encapsulation and IPv4 DF bit is clear The Entry-Point node will fragment the oversized IPv6 packet into two IPv6 packets and forward to the tunnel exit point. If the packet is over the MTU size after encapsulation and IPv4 DF bit is set The Entry-Point node will drop the packet and send ICMPv6 Packet Too Big Msg to the sender.

12 Fragmentation and CGN From Internet to DS-lite client:
CGN will fragment the oversize IPv6 packet and forward to the tunnel immediately. This is fast and light-weight. From DS-lite to Internet This requires the CGN to wait for the fragmented datagrams and re-assemble them for de-capsulation. CGN will need to maintain memory buffers for fragmented datagrams. This could have significant impact to CGN performance. Good News Most DS-lite clients receive traffic (watching video). rather than sourcing traffic (streaming video).

13 Optimization In the draft, we suggest an optimization for TCP traffic
During TCP the 3-way handshake process, CGN will lower the MSS option value to (MTU – tunnel overhead) in SYN and SYN-ACK. This optimization is used to ensure the TCP client and server will send smaller datagram so that the size of the encapsulated datagram won’t go beyond the MTU size. Hence, fragmentation won’t occur. Issue: TCP-AO MSS 1460 MSS 1460 MSS 1420 Home gateway PC CGN IPv4 Internet

14 Discussion Item Do we want to relax RFC2473 and fragment the datagram although DF bit is set? The argument is that fragmentation happens at the link layer. The tunnel end-point will re-assemble the datagram before de-capsulating. Will allow system to work in case pMTU is broken RFC2460 already says “On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.”

15 CGN Security 2 layers of ACL for packets coming out of the tunnel:
Outer header ACL Authorized clients only Inner header ACL CGN only forward datagrams coming from authorized IP address range and transport port. RFC1918 IANA address A+P Other unauthorized datagrams will be dropped.

16 ACL Discussions IPv6 ACL
CGN applies ACL at the IPv6 address before de-capsulation. Eg., CGN serves the known client IPv6 prefixes but drops others. IPv4 ACL for RFC IANA Reserved DS-lite Prefix CGN examines the inner IPv4 header. If the source address is RFC1918 and IANA Reserved DS-lite Prefix, CGN will NAT the datagram and forward it. If not, the datagram is dropped. This ACL is simple and rarely changed. A+P ACL CGN will examine the inner IPv4 header. If the source address and is authorized A+P address range, CGN will forward the datagram. This policy is needed to be updated when the A+P address range is added, deleted or modified. Besides, each CGN may serve different A+P ranges, so each CGN may have different A+P ACL.

17 Other security issues The Internet community needs to deal with Web sites that put IPv4 addresses in penalty box after a number of unsuccessful login attempts. More generally, the community needs to revisit notion that an IPv4 address uniquely identifies a customer.

18 Next steps? Working group last call?

Download ppt "Draft-ietf-softwire-dual-stack-lite-01.txt Yiu Lee"

Similar presentations

Ads by Google