One document matched: draft-donley-behave-deterministic-cgn-07.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="info" docName="draft-donley-behave-deterministic-cgn-07"
ipr="trust200902">
<front>
<title abbrev="deterministic-cgn">Deterministic Address Mapping to Reduce
Logging in Carrier Grade NAT Deployments</title>
<author fullname="Chris Donley" initials="C." surname="Donley">
<organization>CableLabs</organization>
<address>
<postal>
<street>858 Coal Creek Cir</street>
<city>Louisville</city>
<region>CO</region>
<code>80027</code>
<country>US</country>
</postal>
<email>c.donley@cablelabs.com</email>
</address>
</author>
<author fullname="Chris Grundemann" initials="C." surname="Grundemann">
<organization>Internet Society</organization>
<address>
<postal>
<street/>
<city>Denver</city>
<region>CO</region>
<code/>
<country>US</country>
</postal>
<email>cgrundemann@gmail.com</email>
</address>
</author>
<author fullname="Vikas Sarawat" initials="V." surname="Sarawat">
<organization>CableLabs</organization>
<address>
<postal>
<street>858 Coal Creek Cir</street>
<city>Louisville</city>
<region>CO</region>
<code>80027</code>
<country>US</country>
</postal>
<email>v.sarawat@cablelabs.com</email>
</address>
</author>
<author fullname="Karthik Sundaresan" initials="K." surname="Sundaresan">
<organization>CableLabs</organization>
<address>
<postal>
<street>858 Coal Creek Cir</street>
<city>Louisville</city>
<region>CO</region>
<code>80027</code>
<country>US</country>
</postal>
<email>k.sundaresan@cablelabs.com</email>
</address>
</author>
<author fullname="Olivier Vautrin" initials="O." surname="Vautrin">
<organization>Juniper Networks</organization>
<address>
<postal>
<street>1194 N Mathilda Avenue</street>
<city>Sunnyvale</city>
<region>CA</region>
<code>94089</code>
<country>US</country>
</postal>
<email>olivier@juniper.net</email>
</address>
</author>
<date day="13" month="January" year="2014"/>
<abstract>
<t>In some instances, Service Providers have a legal logging requirement
to be able to map a subscriber’s inside address with the address
used on the public Internet (e.g. for abuse response). Unfortunately,
many Carrier Grade NAT logging solutions require active logging of
dynamic translations. Carrier Grade NAT port assignments are often
per-connection, but could optionally use port ranges. Research indicates
that per-connection logging is not scalable in many residential
broadband services. This document suggests a way to manage Carrier Grade
NAT translations in such a way as to significantly reduce the amount of
logging required while providing traceability for abuse response. While
the authors acknowledge that IPv6 is a preferred solution, Carrier Grade
NAT is a reality in many networks, and is needed in situations where
either customer equipment or Internet content only supports IPv4; this
approach should in no way slow the deployment of IPv6.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>It is becoming increasingly difficult to obtain new IPv4 address
assignments from Regional/Local Internet Registries due to depleting
supplies of unallocated IPv4 address space. To meet the growing demand
for Internet connectivity from new subscribers, devices, and service
types, some operators will be forced to share a single public IPv4
address among multiple subscribers using techniques such as <xref
target="RFC6264">Carrier Grade Network Address Translation (CGN)</xref>
(e.g., <xref target="I-D.shirasaki-nat444">NAT444</xref>, <xref
target="RFC6333">DS-Lite</xref>, NAT64 <xref target="RFC6146"/> etc.).
However, address sharing poses additional challenges to operators when
considering how they manage service entitlement, public safety requests,
or attack/abuse/fraud reports <xref target="RFC6269"/>. In order to
identify a specific user associated with an IP address in response to
such a request or for service entitlement, an operator will need to map
a subscriber's internal source IP address and source port with the
global public IP address and source port provided by the CGN for every
connection initiated by the user.</t>
<t>CGN connection logging satisfies the need to identify attackers and
respond to abuse/public safety requests, but it imposes significant
operational challenges to operators. In lab testing, we have observed
CGN log messages to be approximately 150 bytes long for <xref
target="I-D.shirasaki-nat444">NAT444 </xref>, and 175 bytes for <xref
target="RFC6333">DS-Lite </xref> (individual log messages vary somewhat
in size). Although we are not aware of definitive studies of connection
rates per subscriber, reports from several operators in the US sets the
average number of connections per household at approximately 33,000
connections per day. If each connection is individually logged, this
translates to a data volume of approximately 5 MB per subscriber per
day, or about 150 MB per subscriber per month; however, specific data
volumes may vary across different operators based on myriad factors.
Based on available data, a 1-million subscriber service provider will
generate approximately 150 terabytes of log data per month, or 1.8
petabytes per year.</t>
<t>The volume of log data poses a problem for both operators and the
public safety community. On the operator side, it requires a significant
infrastructure investment by operators implementing CGN. It also
requires updated operational practices to maintain the logging
infrastructure, and requires approximately 23 Mbps of bandwidth between
the CGN devices and the logging infrastructure per 50,000 users. On the
public safety side, it increases the time required for an operator to
search the logs in response to an abuse report, and could delay
investigations. Accordingly, an international group of operators and
public safety officials approached the authors to identify a way to
reduce this impact while improving abuse response.</t>
<t>The volume of CGN logging can be reduced by assigning port ranges
instead of individual ports. Using this method, only the assignment of a
new port range is logged. This may massively reduce logging volume. The
log reduction may vary depending on the length of the assigned port
range, whether the port range is static or dynamic, etc. This has been
acknowledged in <xref target="RFC6269"/> and <xref
target="I-D.sivakumar-behave-nat-logging"/>. Per <xref
target="RFC6269"/>:</t>
<t>"Address sharing solutions may mitigate these issues to some extent
by pre-allocating groups of ports. Then only the allocation of the group
needs to be recorded, and not the creation of every session binding
within that group. There are trade-offs to be made between the sizes of
these port groups, the ratio of public addresses to subscribers, whether
or not these groups timeout, and the impact on logging requirements and
port randomization security <xref
target="RFC6056">(RFC6056)</xref>."</t>
<t>However, the existing solution still poses an impact on operators and
public safety officials for logging and searching. Instead, CGNs could
be designed and/or configured to deterministically map internal
addresses to {external address + port range} in such a way as to be able
to algorithmically calculate the mapping. Only inputs and configuration
of the algorithm need to be logged. This approach reduces both logging
volume and subscriber identification times. In some cases, when full
deterministic allocation is used, this approach can eliminate the need
for translation logging.</t>
<t>This document describes a method for such CGN address mapping,
combined with block port reservations, that significantly reduces the
burden on operators while offering the ability to map a subscriber's
inside IP address with an outside address and external port number
observed on the Internet.</t>
<t>The activation of the proposed port range allocation scheme is
compliant with BEHAVE requirements such as the support of APP.</t>
</section>
<section title="Deterministic Port Ranges">
<t>While a subscriber uses thousands of connections per day, most
subscribers use far fewer resources at any given time. When the
compression ratio (see Appendix B of <xref
target="RFC6269">RFC6269</xref>) is low (e.g., the ratio of the number
of subscribers to the number of public IPv4 addresses allocated to a CGN
is closer to 10:1 than 1000:1), each subscriber could expect to have
access to thousands of TCP/UDP ports at any given time. Thus, as an
alternative to logging each connection, CGNs could deterministically map
customer private addresses (received on the customer-facing interface of
the CGN, a.k.a., internal side) to public addresses extended with port
ranges (used on the Internet-facing interface of the CGN, a.k.a.,
external side). This algorithm allows an operator to identify a
subscriber internal IP address when provided the public side IP and port
number without having to examine the CGN translation logs. This prevents
an operator from having to transport and store massive amounts of
session data from the CGN and then process it to identify a
subscriber.</t>
<t>The algorithmic mapping can be expressed as:</t>
<t>(External IP Address, Port Range) = function 1 (Internal IP
Address)</t>
<t>Internal IP Address = function 2 (External IP Address, Port
Number)</t>
<t>The CGN SHOULD provide a method for administrators to test both
mapping functions (e.g., enter an External IP Address + Port Number and
receive the corresponding Internal IP Address).</t>
<t>Deterministic Port Range allocation requires configuration of the
following variables:</t>
<t><list style="symbols">
<t>Inside IPv4/IPv6 address range (I);</t>
<t>Outside IPv4 address range (O);</t>
<t>Compression ratio (e.g. inside IP addresses I/outside IP
addresses O) (C);</t>
<t>Dynamic address pool factor (D), to be added to the compression
ratio in order to create an overflow address pool;</t>
<t>Maximum ports per user (M);</t>
<t>Address assignment algorithm (A) (see below); and</t>
<t>Reserved TCP/UDP port list (R)</t>
</list></t>
<t>Note: The inside address range (I) will be an IPv4 range in NAT444
operation (<xref target="I-D.shirasaki-nat444">NAT444</xref>) and an
IPv6 range in DS-Lite operation (<xref
target="RFC6333">DS-Lite</xref>).</t>
<t>A subscriber is identified by an internal IPv4 address (e.g., NAT44)
or an IPv6 prefix (e.g., DS-Lite or NAT64).</t>
<t>The algorithm may be generalized to <xref
target="I-D.miles-behave-l2nat">L2-aware NAT </xref> but this requires
the configuration of the Internal interface identifiers (e.g., MAC
addresses).</t>
<t>The algorithm is not designed to retrieve an internal host among
those sharing the same internal IP address (e.g., in a DS-Lite context,
only an IPv6 address/prefix can be retrieved using the algorithm while
the internal IPv4 address used for the encapsulated IPv4 datagram is
lost).</t>
<t>Several address assignment algorithms are possible. Using predefined
algorithms, such as those that follow, simplifies the process of
reversing the algorithm when needed. However, the CGN MAY support
additional algorithms. Also, the CGN is not required to support all
algorithms described below. Subscribers could be restricted to ports
from a single IPv4 address, or could be allocated ports across all
addresses in a pool, for example. The following algorithms and
corresponding values of A are as follow:</t>
<t><list style="empty">
<t hangText="0">0: Sequential (e.g. the first block goes to address
1, the second block to address 2, etc.)</t>
<t hangText="1">1: Staggered (e.g. for every n between 0 and
((65536-R)/(C+D))-1 , address 1 receives ports n*C+R, address 2
receives ports (1+n)*C+R, etc.)</t>
<t hangText="1">2: Round robin (e.g. the subscriber receives the
same port number across a pool of external IP addresses. If the
subscriber is to be assigned more ports than there are in the
external IP pool, the subscriber receives the next highest port
across the IP pool, and so on. Thus, if there are 10 IP addresses in
a pool and a subscriber is assigned 1000 ports, the subscriber would
receive a range such as ports 2000-2099 across all 10 external IP
addresses).</t>
<t hangText="1">3: Interlaced horizontally (e.g. each address
receives every Cth port spread across a pool of external IP
addresses).</t>
<t hangText="1">4: Cryptographically random port assignment (Section
2.2 of <xref target="RFC6431">RFC6431</xref>). If this algorithm is
used, the Service Provider needs to retain the keying material and
specific cryptographic function to support reversibility.</t>
<t hangText="1">5: Vendor-specific. Other vendor-specific algorithms
may also be supported.</t>
</list></t>
<t>The assigned range of ports MAY also be used when translating ICMP
requests (when re-writing the Identifier field).</t>
<t>The CGN then reserves ports as follows:</t>
<t><list style="numbers">
<t>The CGN removes reserved ports (R) from the port candidate list
(e.g., 0-1023 for TCP and UDP). At a minimum, the CGN SHOULD remove
system ports <xref target="RFC6335">(RFC6335)</xref> from the port
candidate list reserved for deterministic assignment.</t>
<t>The CGN calculates the total compression ratio (C+D), and
allocates 1/(C+D) of the available ports to each internal IP
address. Specific port allocation is determined by the algorithm (A)
configured on the CGN. Any remaining ports are allocated to the
dynamic pool. <vspace blankLines="1"/> Note: Setting D to 0 disables
the dynamic pool. This option eliminates the need for per-subscriber
logging at the expense of limiting the number of concurrent
connections that 'power users' can initiate.</t>
<t>When a subscriber initiates a connection, the CGN creates a
translation mapping between the subscriber's inside local IP
address/port and the CGN outside global IP address/port. The CGN
MUST use one of the ports allocated in step 2 for the translation as
long as such ports are available. The CGN SHOULD allocate ports
randomly within the port range assigned by the deterministic
algorithm. This is to increase subscriber privacy. The CGN MUST use
the preallocated port range from step 2 for Port Control Protocol
(PCP, <xref target="I-D.ietf-pcp-base"/>) reservations as long as
such ports are available. While the CGN maintains its mapping table,
it need not generate a log entry for translation mappings created in
this step.</t>
<t>If D>0, the CGN will have a pool of ports left for dynamic
assignment. If a subscriber uses more than the range of ports
allocated in step 2 (but fewer than the configured maximum ports M),
the CGN assigns a block of ports from the dynamic assignment range
for such a connection or for PCP reservations. The CGN MUST log
dynamically assigned port blocks to facilitate subscriber-to-address
mapping. The CGN SHOULD manage dynamic ports as described in <xref
target="I-D.tsou-behave-natx4-log-reduction"> </xref>.</t>
<t>Configuration of reserved ports (e.g., system ports) is left to
operator configuration.</t>
</list></t>
<t>Thus, the CGN will maintain translation mapping information for all
connections within its internal translation tables; however, it only
needs to externally log translations for dynamically-assigned ports.</t>
<section title="IPv4 Port Utilization Efficiency">
<t>For Service Providers requiring an aggressive address sharing
ratio, the use of the algorithmic mapping may impact the efficiency of
the address sharing. A dynamic port range allocation assignment is
more suitable in those cases.</t>
</section>
<section title="Planning & Dimensioning">
<t>Unlike dynamic approaches, the use of the algorithmic mapping
requires more effort from operational teams to tweak the algorithm
(e.g., size of the port range, address sharing ratio, etc.). Dedicated
alarms SHOULD be configured when some port utilization thresholds are
fired so that the configuration can be refined.</t>
<t>The use of algorithmic mapping also affects geolocation. Changes to
the inside and outside address ranges (e.g. due to growth, address
allocation planning, etc.) would require external geolocation
providers to recalibrate their mappings.</t>
</section>
<section title="Deterministic CGN Example">
<t>To illustrate the use of deterministic NAT, let's consider a simple
example. The operator configures an inside address range (I) of
100.64.0.0/28 <xref target="RFC6598"/> and outside address (O) of
203.0.113.1. The dynamic address pool factor (D) is set to '2'. Thus,
the total compression ratio is 1:(14+2) = 1:16. Only the system ports
(e.g. ports < 1024) are reserved (R) . This configuration causes
the CGN to preallocate ((65536-1024)/16 =) 4032 TCP and 4032 UDP ports
per inside IPv4 address. For the purposes of this example, let's
assume that they are allocated sequentially, where 100.64.0.1 maps to
203.0.113.1 ports 1024-5055, 100.64.0.2 maps to 203.0.113.1 ports
5056-9087, etc. The dynamic port range thus contains ports 57472-65535
(port allocation illustrated in the table below). Finally, the maximum
ports/subscriber is set to 5040.</t>
<texttable suppress-title="false">
<ttcol>Inside Address / Pool</ttcol>
<ttcol>Outside Address & Port</ttcol>
<c>Reserved</c>
<c>203.0.113.1:0-1023</c>
<c>100.64.0.1</c>
<c>203.0.113.1:1024-5055</c>
<c>100.64.0.2</c>
<c>203.0.113.1:5056-9087</c>
<c>100.64.0.3</c>
<c>203.0.113.1:9088-13119</c>
<c>100.64.0.4</c>
<c>203.0.113.1:13120-17151</c>
<c>100.64.0.5</c>
<c>203.0.113.1:17152-21183</c>
<c>100.64.0.6</c>
<c>203.0.113.1:21184-25215</c>
<c>100.64.0.7</c>
<c>203.0.113.1:25216-29247</c>
<c>100.64.0.8</c>
<c>203.0.113.1:29248-33279</c>
<c>100.64.0.9</c>
<c>203.0.113.1:33280-37311</c>
<c>100.64.0.10</c>
<c>203.0.113.1:37312-41343</c>
<c>100.64.0.11</c>
<c>203.0.113.1:41344-45375</c>
<c>100.64.0.12</c>
<c>203.0.113.1:45376-49407</c>
<c>100.64.0.13</c>
<c>203.0.113.1:49408-53439</c>
<c>100.64.0.14</c>
<c>203.0.113.1:53440-57471</c>
<c>Dynamic</c>
<c>203.0.113.1:57472-65535</c>
</texttable>
<t>When subscriber 1 using 100.64.0.1 initiates a low volume of
connections (e.g. < 4032 concurrent connections), the CGN maps the
outgoing source address/port to the preallocated range. These
translation mappings are not logged.</t>
<t>Subscriber 2 concurrently uses more than the allocated 4032 ports
(e.g. for peer-to-peer, mapping, video streaming, or other
connection-intensive traffic types), the CGN allocates up to an
additional 1008 ports using bulk port reservations. In this example,
subscriber 2 uses outside ports 5056-9087, and then 100-port blocks
between 58000-58999. Connections using ports 5056-9087 are not logged,
while 10 log entries are created for ports 58000-58099, 58100-58199,
58200-58299, ..., 58900-58999.</t>
<t>In order to identify a subscriber behind a CGN (regardless of port
allocation method), public safety agencies need to collect source
address and port information from content provider log files. Thus,
content providers are advised to log source address, source port, and
timestamp for all log entries, per <xref target="RFC6302"/>. If a
public safety agency collects such information from a content provider
and reports abuse from 203.0.113.1, port 2001, the operator can
reverse the mapping algorithm to determine that the internal IP
address subscriber 1 has been assigned generated the traffic without
consulting CGN logs (by correlating the internal IP address with
DHCP/PPP lease connection records). If a second abuse report comes in
for 203.0.113.1, port 58204, the operator will determine that port
58204 is within the dynamic pool range, consult the log file,
correlate with connection records, and determine that subscriber 2
generated the traffic (assuming that the public safety timestamp
matches the operator timestamp. As noted in <xref
target="RFC6292">RFC6292</xref>, accurate time-keeping (e.g., use of
NTP or Simple NTP) is vital).</t>
<t>In this example, there are no log entries for the majority of
subscribers, who only use pre-allocated ports. Only minimal logging
would be needed for those few subscribers who exceed their
pre-allocated ports and obtain extra bulk port assignments from the
dynamic pool. Logging data for those users will include inside
address, outside address, outside port range, and timestamp.</t>
</section>
</section>
<section title="Additional Logging Considerations">
<t>In order to be able to identify a subscriber based on observed
external IPv4 address, port, and timestamp, an operator needs to know
how the CGN was configured with regards to internal and external IP
addresses, dynamic address pool factor, maximum ports per user, and
reserved port range at any given time. Therefore, the CGN MUST generate
a record any time such variables are changed. The CGN SHOULD generate a
log message any time such variables are changed. The CGN MAY keep such a
record in the form of a router configuration file. If the CGN does not
generate a log message, it would be up to the operator to maintain
version control of router config changes. Also, the CGN SHOULD generate
such a log message once per day to facilitate quick identification of
the relevant configuration in the event of an abuse notification.</t>
<t>Such a log message MUST, at minimum, include the timestamp, inside
prefix I, inside mask, outside prefix O, outside mask, D, M, A, and
reserved port list R; for example:</t>
<t>[Wed Oct 11 14:32:52
2000]:100.64.0.0:28:203.0.113.0:32:2:5040:0:1-1023,5004,5060.</t>
<section title="Failover Considerations">
<t>Due to the deterministic nature of algorithmically-assigned
translations, no additional logging is required during failover
conditions provided that inside address ranges are unique within a
given failover domain. Even when directed to a different CGN server,
translations within the deterministic port range on either the primary
or secondary server can be algorithmically reversed, provided the
algorithm is known. Thus, if 100.64.0.1 port 3456 maps to 203.0.113.1
port 1000 on CGN 1 and 198.51.100.1 port 1000 on Failover CGN 2, an
operator can identify the subscriber based on outside source address
and port information.</t>
<t>Similarly, assignments made from the dynamic overflow pool need to
be logged as described above, whether translations are performed on
the primary or failover CGN.</t>
</section>
</section>
<section title="Impact on the IPv6 Transition">
<t>The solution described in this document is applicable to Carrier
Grade NAT transition technologies (e.g. NAT444, DS-Lite, and NAT64). As
discussed in <xref target="I-D.donley-nat444-impacts"/>, the authors
acknowledge that native IPv6 will offer subscribers a better experience
than CGN. However, many CPE devices only support IPv4. Likewise, as of
July 2012, only approximately 4% of the top 1 million websites were
available using IPv6. Accordingly, deterministic CGN should in no way be
understood as making CGN a replacement for IPv6 service. The authors
encourage device manufacturers to consider <xref target="RFC6540"/> and
include IPv6 support. In the interim, however, CGN has already been
deployed in some operator networks. Deterministic CGN will provide
operators with the ability to quickly respond to public safety requests
without requiring excessive infrastructure, operations, and bandwidth to
support per-connection logging.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The security considerations applicable to NAT operation for various
protocols as documented in, for example, <xref target="RFC4787">RFC
4787</xref> and <xref target="RFC5382">RFC 5382</xref> also apply to
this document.</t>
<t>Note that with the possible exception of cryptographically-based port
allocations, attackers could reverse-engineer algorithmically-derived
port allocations to either target a specific subscriber or to spoof
traffic to make it appear to have been generated by a specific
subscriber. However, this is exactly the same level of security that the
subscriber would experience in the absence of CGN. CGN is not intended
to provide additional security by obscurity.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>The authors would like to thank the following people for their
suggestions and feedback: Bobby Flaim, Lee Howard, Wes George,
Jean-Francois Tremblay, Mohammed Boucadair, Alain Durand, David Miles,
Andy Anchev, Victor Kuarsingh, Miguel Cros Cecilia, and Reinaldo
Penno.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.4787"?>
<?rfc include="reference.RFC.6269"?>
<?rfc include="reference.RFC.5382"?>
<?rfc include="reference.RFC.6264"?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.6333"?>
<?rfc include='reference.I-D.draft-ietf-pcp-base-29'?>
<?rfc include='reference.RFC.6292'?>
<?rfc include='reference.RFC.6146'?>
<?rfc include='reference.RFC.6056'?>
<?rfc include='reference.RFC.6335'?>
<?rfc include='reference.RFC.6431'?>
<?rfc include='reference.I-D.draft-donley-nat444-impacts-04'?>
<?rfc include='reference.RFC.6302'?>
<?rfc include='reference.I-D.draft-miles-behave-l2nat-00'?>
<?rfc include='reference.RFC.6540'?>
<?rfc include='reference.RFC.6598'?>
<?rfc include="reference.I-D.draft-shirasaki-nat444-06"?>
<?rfc include="reference.I-D.draft-tsou-behave-natx4-log-reduction-02"?>
<?rfc include="reference.I-D.draft-sivakumar-behave-nat-logging-05"?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:54:36 |