One document matched: draft-ietf-behave-lsn-requirements-09.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="no" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="bcp" docName="draft-ietf-behave-lsn-requirements-09" ipr="trust200902"
updates="4787">
<!-- ***** FRONT MATTER ***** -->
<front>
<title abbrev="CGN Requirements">Common requirements for Carrier Grade NATs
(CGNs)</title>
<author fullname="Simon Perreault" initials="S." surname="Perreault"
role="editor">
<organization>Viagénie</organization>
<address>
<postal>
<street>246 Aberdeen</street>
<city>Québec</city>
<region>QC</region>
<code>G1R 2E1</code>
<country>Canada</country>
</postal>
<phone>+1 418 656 9254</phone>
<email>simon.perreault@viagenie.ca</email>
<uri>http://www.viagenie.ca</uri>
</address>
</author>
<author fullname="Ikuhei Yamagata" initials="I." surname="Yamagata">
<organization abbrev="NTT Communications">
NTT Communications Corporation</organization>
<address>
<postal>
<street>Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku</street>
<city>Tokyo</city>
<code>108-8118</code>
<country>Japan</country>
</postal>
<phone>+81 50 3812 4704</phone>
<email>ikuhei@nttv6.jp</email>
</address>
</author>
<author fullname="Shin Miyakawa" initials="S." surname="Miyakawa">
<organization abbrev="NTT Communications">
NTT Communications Corporation</organization>
<address>
<postal>
<street>Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku</street>
<city>Tokyo</city>
<code>108-8118</code>
<country>Japan</country>
</postal>
<phone>+81 50 3812 4695</phone>
<email>miyakawa@nttv6.jp</email>
</address>
</author>
<author fullname="Akira Nakagawa" initials="A." surname="Nakagawa">
<organization abbrev="Japan Internet Exchange (JPIX)">
Japan Internet Exchange Co., Ltd. (JPIX)</organization>
<address>
<postal>
<street>Otemachi Building 21F, 1-8-1 Otemachi, Chiyoda-ku</street>
<city>Tokyo</city>
<code>100-0004</code>
<country>Japan</country>
</postal>
<phone>+81 90 9242 2717</phone>
<email>a-nakagawa@jpix.ad.jp</email>
</address>
</author>
<author fullname="Hiroyuki Ashida" initials="H." surname="Ashida">
<organization>IS Consulting G.K.</organization>
<address>
<postal>
<street>12-17 Odenma-cho Nihonbashi Chuo-ku</street>
<city>Tokyo</city>
<code>103-0011</code>
<country>Japan</country>
</postal>
<email>assie@hir.jp</email>
</address>
</author>
<date/>
<!-- Meta-data Declarations -->
<area>Transport</area>
<workgroup>Internet Engineering Task Force</workgroup>
<keyword>CGN, NAT</keyword>
<abstract>
<t>This document defines common requirements for Carrier-Grade NAT
(CGN). It updates RFC 4787.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>With the shortage of IPv4 addresses, it is expected that more Internet
Service Providers (ISPs) may want to provide a service where a public
IPv4 address would be shared by many subscribers. Each subscriber is
assigned a private address, and a Network Address Translator (NAT) <xref
target="RFC2663"/> situated in the ISP's network translates between
private and public addresses. When a second IPv4 NAT is located at the
customer edge, this results in two layers of NAT.</t>
<t>This service can conceivably be offered alongside others, such as IPv6
services or regular IPv4 service assigning public addresses to
subscribers. Some ISPs started offering such a service long before there
was a shortage of IPv4 addresses, showing that there are driving forces
other than the shortage of IPv4 addresses. One approach to CGN deployment
is described in <xref target="RFC6264"/>.</t>
<t>This document describes behavior that is required of those
multi-subscriber NATs for interoperability. It is not an IETF endorsement
of CGN or a real specification for CGN, but rather just a minimal set of
requirements that will increase the likelihood of applications working
across CGNs.</t>
<t>Because subscribers do not receive unique IPv4 addresses, Carrier Grade
NATs introduce substantial limitations in communications between
subscribers and with the rest of the Internet. In particular, it is
considerably more involved to establish proxy functionality at the border
between internal and external realms. Some applications may require
substantial enhancements, while some others may not function at all in
such an environment. Please see "Issues with IP Address Sharing" <xref
target="RFC6269"/> for details.</t>
<t>This document builds upon previous works describing requirements for
generic NATs <xref target="RFC4787"/><xref target="RFC5382"/><xref
target="RFC5508"/>. These documents, and their updates if any, still
apply in this context. What follows are additional requirements, to be
satisfied on top of previous ones.</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in <xref
target="RFC2119" />.</t>
<t>
Readers are expected to be familiar with "NAT Behavioral Requirements for
Unicast UDP" <xref target="RFC4787" /> and the terms defined there. The
following additional term is used in this document:
<list style='hanging'>
<t hangText="Carrier-Grade NAT (CGN):">A NAT-based <xref
target="RFC2663"/> logical function used to share the same IPv4
address among several subscribers. A CGN is not managed by the
subscribers.
<list style="empty">
<t>Note that the term "carrier-grade" has nothing to do with the
quality of the NAT; that is left to discretion of implementers.
Rather, it is to be understood as a topological qualifier: the NAT
is placed in an ISP's network and translates the traffic of
potentially many subscribers. Subscribers have limited or no control
over the CGN, whereas they typically have full control over a NAT
placed on their premises.</t>
<t>Note also that the CGN described in this document is IPv4-only.
IPv6 address translation is not considered.</t>
<t>However, the scenario in which the IPv4-only CGN logical function
is used may include IPv6 elements. For example, DS-Lite <xref
target="RFC6333"/> uses an IPv4-only CGN logical function in a
scenario making use of IPv6 encapsulation. Therefore, this document
would also apply to the CGN part of DS-Lite.</t>
</list>
</t>
</list>
</t>
<t><xref target="topology"/> summarizes a common network topology in which a
CGN operates.</t>
<figure anchor="topology" title="CGN network topology" align="center">
<artwork><![CDATA[
.
:
| Internet
............... | ...................
| ISP network
External pool: |
192.0.2.1/26 |
++------++ External realm
........... | CGN |...............
++------++ Internal realm
10.0.0.1 | |
| |
| | ISP network
............. | .. | ................
| | Customer premises
10.0.0.100 | | 10.0.0.101
++------++ ++------++
| CPE1 | | CPE2 | etc.
++------++ ++------++
]]></artwork>
<postamble>(IP addresses are only for example purposes)</postamble>
</figure>
<t>Another possible topology is one for hotspots, where there is no customer
premise or customer-premises equipment (CPE), but where a CGN serves a bunch
of customers who don't trust each other and hence fairness is an issue. One
important difference with the previous topology is the absence of a second
layer of NAT. This, however, has no impact on CGN requirements since they
are driven by fairness and robustness in the service provided to customers,
which applies in both cases.</t>
</section>
<section title="Requirements for CGNs">
<t>What follows is a list of requirements for CGNs. They are in
addition to those found in other documents such as <xref target="RFC4787"/>,
<xref target="RFC5382"/>, and <xref target="RFC5508"/>.</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>If a CGN forwards packets containing a given transport protocol, then
it MUST fulfill that transport protocol's behavioral requirements.
Current applicable documents are as follows:
<list style="letters">
<t>"NAT Behavioral Requirements for Unicast UDP" <xref
target="RFC4787"/></t>
<t>"NAT Behavioral Requirements for TCP" <xref target="RFC5382"/></t>
<t>"NAT Behavioral Requirements for ICMP" <xref target="RFC5508"/></t>
<t>"NAT Behavioral Requirements for DCCP" <xref target="RFC5597"/></t>
</list>
Any future NAT behavioral requirements documents for IPv4 transport
protocols will impose additional requirements for CGNs on top of those
stated here.</t>
</list>
<list style="hanging">
<t hangText="Justification:">It is crucial for CGNs to maximize the set of
applications that can function properly across them. The IETF has
documented the best current practices for UDP, TCP, ICMP, and DCCP.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN MUST have a default "IP address pooling" behavior of "Paired"
(as defined in <xref target="RFC4787"/> section 4.1). A CGN MAY provide
a mechanism for administrators to change this behavior on an application
protocol basis.
<list style="symbols">
<t>When multiple overlapping internal IP address ranges share the same
external IP address pool (e.g., DS-Lite <xref target="RFC6333"/>),
the "IP address pooling" behavior applies to mappings between
external IP addresses and internal subscribers rather than between
external and internal IP addresses.</t>
</list>
</t>
</list>
<list style="hanging">
<t hangText="Justification:">This stronger form of REQ-2 from <xref
target="RFC4787"/> is justified by the stronger need for not breaking
applications that depend on the external address remaining constant.</t>
<t>Note that this requirement applies regardless of the transport
protocol. In other words, a CGN must use the same external IP address
mapping for all sessions associated with the same internal IP address,
be they TCP, UDP, ICMP, something else, or a mix of different
protocols.</t>
<t>The justification for allowing other behaviors is to allow the
administrator to save external addresses and ports for application
protocols that are known to work fine with other behaviors in practice.
However, the default behavior MUST be "Paired".</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>The CGN function SHOULD NOT have any limitations on the size nor the
contiguity of the external address pool. In particular, the CGN function
MUST be configurable with contiguous or non-contiguous external IPv4
address ranges.</t>
</list>
<list style="hanging">
<t hangText="Justification:">Given the increasing rarity of IPv4
addresses, it is becoming harder for an operator to provide large
contiguous address pools to CGNs. Additionally, operational flexibility
may require non-contiguous address pools for reasons such as
differentiated services, routing management, etc.</t>
<t>The reason for having SHOULD instead of MUST is to account for
limitations imposed by available resources as well as constraints
imposed for security reasons.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per subscriber.
<list style="letters">
<t>Per-subscriber limits MUST be configurable by the CGN
administrator.</t>
<t>Per-subscriber limits MAY be configurable independently per
transport protocol.</t>
<t>Additionally, it is RECOMMENDED that the CGN include
administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the CGN (e.g., rate limit
the subscriber's creation of new mappings).</t>
</list>
</t>
</list>
<list style="hanging">
<t hangText="Justification:">A CGN can be considered a network resource
that is shared by competing subscribers. Limiting the number of external
ports assigned to each subscriber mitigates the DoS attack that a
subscriber could launch against other subscribers through the CGN in
order to get a larger share of the resource. It ensures fairness among
subscribers. Limiting the rate of allocation mitigates a similar attack
where the CPU is the resource being targeted instead of port
numbers, however this requirement is not a MUST because it is very hard
to explicitly call out all CPU-consuming events.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN SHOULD support limiting the amount of state memory allocated per
mapping and per subscriber. This may include limiting the number of
sessions, the number of filters, etc., depending on the NAT
implementation.
<list style="letters">
<t>Limits SHOULD be configurable by the CGN administrator.</t>
<t>Additionally, it SHOULD be possible to limit the rate at which
memory-consuming state elements are allocated.</t>
</list>
</t>
</list>
<list style="hanging">
<t hangText="Justification:">A NAT needs to keep track of TCP sessions
associated to each mapping. This state consumes resources for which, in
the case of a CGN, subscribers may compete. It is necessary to ensure
that each subscriber has access to a fair share of the CGN's resources.
Limiting the rate of allocation is intended to prevent CPU
resource exhaustion. Item "B" is at the SHOULD level to account for the
fact that means other than rate limiting may be used to attain the same
goal.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>It MUST be possible to administratively turn off translation for
specific destination addresses and/or ports.</t>
</list>
<list style="hanging">
<t hangText="Justification:">It is common for a CGN administrator to
provide access for subscribers to servers installed in the ISP's
network in the external realm. When such a server is able to reach the
internal realm via normal routing (which is entirely controlled by the
ISP), translation is unneeded. In that case, the CGN may forward packets
without modification, thus acting like a plain router. This may
represent an important efficiency gain.</t>
<t><xref target="passthrough"/> illustrates this use-case.</t>
</list>
</t>
<figure anchor="passthrough" title="CGN pass-through" align="center">
<artwork><![CDATA[
X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r |
| e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
| n |from X2:x2 | |from X2:x2 | e |
| t | to X1:x1 | | to X1:x1 | r |
+---+ +---+ +---+
]]></artwork>
</figure>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>It is RECOMMENDED that a CGN have an "Endpoint-Independent Filtering"
behavior (as defined in <xref target="RFC4787"/> section 5). If it is
known that "Address-Dependent Filtering" does not cause the
application-layer protocol to break (how to determine this is out of
scope for this document), then it MAY be used instead.</t>
</list>
<list style="hanging">
<t hangText="Justification:">This is a stronger form of REQ-8 from <xref
target="RFC4787"/>. This is based on the observation that some games
and peer-to-peer applications require EIF for the NAT traversal to work.
In the context of a CGN it is important to minimize application
breakage.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>Once an external port is deallocated, it SHOULD NOT be reallocated to a
new mapping until at least 120 seconds have passed, with the exceptions
being:
<list style="letters">
<t>If the CGN tracks TCP sessions (e.g., with a state machine,
as in <xref target="RFC6146"/> section 3.5.2.2), TCP ports MAY be
reused immediately.</t>
<t>If external ports are statically assigned to internal addresses
(e.g., address X with port range 1000-1999 is assigned to subscriber
A, 2000-2999 to subscriber B, etc.), and the assignment remains
constant across state loss, then ports MAY be reused
immediately.</t>
<t>If the allocated external ports used address-dependent or
address-and-port-dependent filtering before state loss, they MAY be
reused immediately.</t>
</list>
The length of time and the maximum number of ports in this state MUST
be configurable by the CGN administrator.</t>
</list>
<list style="hanging">
<t hangText="Justification:">This is necessary in order to prevent
collisions between old and new mappings and sessions. It ensures that
all established sessions are broken instead of redirected to a different
peer.</t>
<t>The exceptions are for cases where reusing a port immediately does not
create a possibility that packets would be redirected to the wrong
peer. One can imagine other exceptions where mapping collisions are
avoided, thus justifying the SHOULD level for this requirement.</t>
<t>The 120 seconds value corresponds to the Maximum Segment Lifetime (MSL)
from <xref target="RFC0793"/>.</t>
<t>Note that this requirement also applies to the case when a CGN loses
state (due to a crash, reboot, failover to a cold standby, etc.). In
that case, ports that were in use at the time of state loss SHOULD NOT
be reallocated until at least 120 seconds have passed.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN MUST implement a protocol giving subscribers explicit control
over NAT mappings. That protocol SHOULD be the Port Control Protocol
<xref target="I-D.ietf-pcp-base"/>, in which case the PCP server MUST
obey the following constraints on its behavior:
<list style="letters">
<t>It MUST NOT permit the lifetime of a mapping to be reduced beyond
its current life or be set to zero (deleted).</t>
<t>It MUST NOT permit a NAT mapping to be created with a lifetime less
than the lifetime used for implicit mappings.</t>
<t>It MUST NOT support the THIRD_PARTY option except for requests
received from "trusted" sources where it is impractical for those
sources to be spoofed.</t>
<t>The MAP opcode MAY be permitted if the recommendation of endpoint
independent filtering behavior described in REQ-7 is adopted; the
map opcode MUST NOT be permitted in other circumstances. These
constraints MAY be relaxed if a security mechanism consistent with
PCP's Advanced Threat Model (see Section 17.2 of
<xref target="I-D.ietf-pcp-base"/>) is used; this is expected to be
rare for CGN deployments.</t>
<t>Mappings created by PCP MUST follow the same deallocation
behavior (REQ-8) as implicitly mapped traffic.</t>
</list>
</t>
</list>
<list style="hanging">
<t hangText="Justification:">Allowing subscribers to manipulate the NAT
state table with PCP greatly increases the likelihood that applications
will function properly.</t>
<t>A study of PCP-less CGN impacts can be found in <xref
target="I-D.donley-nat444-impacts"/>. Another study considering the
effects of PCP on a peer-to-peer file sharing protocol can be found in
<xref target="I-D.boucadair-pcp-bittorrent"/>.</t>
<t>Items "A" to "D" are justified as follows: Most of the concern has to
do with one customer device interacting negatively with the security of
another; this is of particular concern when the devices belong to
different customers, but devices belonging to the same customer are in
scope for the PCP security analysis as well. Reducing a mapping lifetime
or deleting a mapping create DoS opportunities and can create an
opportunity for one device to intercept another device's traffic. If a
device spoofs creation of a mapping with less than the default lifetime,
then that can create DoS or packet capture opportunities. The behavior
of REQ-8 is critical to avoiding packet capture attacks.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>CGN implementers SHOULD make their equipment manageable.
Standards-based management using standards such as "Definitions of
Managed Objects for NAT" <xref target="RFC4008"/> is RECOMMENDED.</t>
</list>
<list style="hanging">
<t hangText="Justification:">It is anticipated that CGNs will be primarily
deployed in ISP networks where the need for management is critical. This
requirement is at the SHOULD level to account for the fact that some CGN
operators may not need management functionality.</t>
<t>Note also that there are efforts within the IETF toward creating a MIB
tailored for CGNs (e.g., <xref target="I-D.ietf-behave-nat-mib"/>).</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>When a CGN is unable to create a dynamic mapping due to resource
constraints or administrative restrictions (i.e., quotas):
<list style="letters">
<t>it MUST drop the original packet;</t>
<t>it SHOULD send an ICMP Destination Unreachable message with code 1
(Host Unreachable) to the sender;</t>
<t>it SHOULD send a notification (e.g., SNMP trap) towards a
management system (if configured to do so);</t>
<t>and it MUST NOT delete existing mappings in order to "make room"
for the new one. (This only applies to normal CGN behavior, not to
manual operator intervention.)</t>
</list>
</t>
</list>
<list style="hanging">
<t hangText="Justification:">This is a slightly different form of REQ-8
from <xref target="RFC5508"/>. Code 1 is preferred to code 13 because it
is listed as a "soft error" in <xref target="RFC1122"/>, which is
important because we don't want TCP stacks to abort the connection
attempt in this case. See <xref target="RFC5461"/> for details on TCP's
reaction to soft errors.</t>
<t>Sending ICMP errors and SNMP traps may be rate-limited for security
reasons, which is why requirements B and C are SHOULDs, not a MUSTs.</t>
<t>Applications generally handle connection establishment failure better
than established connection failure. This is why dropping the packet
initiating the new connection is preferred over deleting existing
mappings. See also the rationale in <xref target="RFC5508"/> section
6.</t>
</list>
</t>
</section>
<section title="Logging">
<t>It may be necessary for CGN administrators to be able to identify a
subscriber based on external IPv4 address, port, and timestamp in order to
deal with abuse. When multiple subscribers share a single external address,
the source address and port that are visible at the destination host have
been translated from the ones originated by the subscriber.</t>
<t>In order to be able to do this, the CGN would need to log the following
information for each mapping created (this list is for informational
purposes only and does not constitute a requirement):
<list style="symbols">
<t>transport protocol</t>
<t>subscriber identifier (e.g., internal source address or tunnel endpoint
identifier)</t>
<t>external source address</t>
<t>external source port</t>
<t>timestamp</t>
</list>
</t>
<t>By "subscriber identifier" we mean information that uniquely identifies a
subscriber. For example, in a traditional NAT scenario, the internal source
address would be sufficient. In the case of DS-Lite, many subscribers share
the same internal address and the subscriber identifier is the tunnel
endpoint identifier (i.e., the B4's IPv6 address).</t>
<t>A disadvantage of logging mappings is that CGNs under heavy usage may
produce large amounts of logs, which may require large storage volume.</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN SHOULD NOT log destination addresses or ports unless required to
do so for administrative reasons.</t>
</list>
<list style="hanging">
<t hangText="Justification:">Destination logging at the CGN creates
privacy issues. Furthermore, readers should be aware of logging
recommendations for Internet-facing servers <xref target="RFC6302"/>.
With compliant servers, the destination address and port do not need to
be logged by the CGN. This can help reduce the amount of logging.</t>
<t>This requirement is at the SHOULD level to account for the fact that
there may be other reasons for logging destination addresses or
ports. One such reason might be that the remote server is not following
<xref target="RFC6302"/>.</t>
</list>
</t>
</section>
<section title="Port Allocation Scheme">
<t>A CGN's port allocation scheme is subject to three competing
requirements:</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN's port allocation scheme SHOULD maximize port utilization.</t>
</list>
<list style="hanging">
<t hangText="Justification:">External ports is one of the resources being
shared by a CGN. Efficient management of that resource directly impacts
the quality of a subscriber's Internet connection.</t>
<t>Some schemes are very efficient in their port utilization. In that
sense, they have good scaling properties (nothing is wasted). Others
will systematically waste ports.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN's port allocation scheme SHOULD minimize log volume.</t>
</list>
<list style="hanging">
<t hangText="Justification:">Huge log volumes can be problematic to CGN
operators.</t>
<t>Some schemes create one log entry per mapping. Others allow multiple
mappings to generate a single log entry, which sometimes can be
expressed very compactly. With some schemes the logging frequency can
approach that of DHCP servers.</t>
</list>
</t>
<t>
<list style="format REQ-%d:" counter="Requirements">
<t>A CGN's port allocation scheme SHOULD make it hard for attackers to
guess port numbers.</t>
</list>
<list style="hanging">
<t hangText="Justification:">Easily guessed port numbers put subscribers
at risk of the attacks described in <xref target="RFC6056"/>.</t>
<t>Some schemes provide very good security in that ports numbers are not
easily guessed. Others provide poor security to subscribers</t>
</list>
</t>
<t>A CGN implementation's choice of port allocation scheme optimizes to
satisfy one requirement at the expense of another. Therefore, these are soft
requirements (SHOULD as opposed to MUST).</t>
</section>
<section title="Deployment Considerations">
<t>Several issues are encountered when CGNs are used <xref
target="RFC6269"/>. There is current
work in the IETF toward alleviating some of these issues. For example, see
<xref target="I-D.ietf-intarea-nat-reveal-analysis"/>.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>There are no IANA considerations.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>If a malicious subscriber can spoof another subscriber's CPE, it may
cause a DoS to that subscriber by creating mappings up to the allowed
limit. An ISP can prevent this with ingress filtering, as described in
<xref target="RFC2827"/>.</t>
<t>This document recommends Endpoint-Independent Filtering (EIF) as the
default filtering behavior for CGNs. EIF has security considerations
which are discussed in <xref target="RFC4787"/>.</t>
<t>NATs sometimes perform fragment reassembly. CGNs would do so at
presumably high data rates. Therefore, the reader should be familiar with
the potential security issues described in <xref target="RFC4963"/>.</t>
</section>
<section title="Acknowledgements">
<t>
Thanks for the input and review by
Alexey Melnikov,
Arifumi Matsumoto,
Barry Leiba,
Benson Schliesser,
Dai Kuwabara,
Dan Wing,
Dave Thaler,
David Harrington,
Francis Dupont,
Jean-François Tremblay,
Joe Touch,
Lars Eggert,
Kousuke Shishikura,
Mohamed Boucadair,
Martin Stiemerling,
Meng Wei,
Nejc Skoberne,
Pete Resnick,
Reinaldo Penno,
Ron Bonica,
Sam Hartman,
Sean Turner,
Senthil Sivakumar,
Stephen Farrell,
Stewart Bryant,
Takanori Mizuguchi,
Takeshi Tomochika,
Tina Tsou,
Tomohiro Fujisaki,
Tomohiro Nishitani,
Tomoya Yoshida,
Wes George,
Wesley Eddy,
and
Yasuhiro Shirasaki.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.4008"?>
<?rfc include="reference.RFC.4787"?>
<?rfc include="reference.RFC.5382"?>
<?rfc include="reference.RFC.5508"?>
<?rfc include="reference.RFC.5597"?>
<?rfc include="reference.I-D.ietf-pcp-base"?>
</references>
<references title="Informative Reference">
<?rfc include="reference.RFC.0793"?>
<?rfc include="reference.RFC.1122"?>
<?rfc include="reference.RFC.2663"?>
<?rfc include="reference.RFC.2827"?>
<?rfc include="reference.RFC.4963"?>
<?rfc include="reference.RFC.5461"?>
<?rfc include="reference.RFC.6056"?>
<?rfc include="reference.RFC.6146"?>
<?rfc include="reference.RFC.6264"?>
<?rfc include="reference.RFC.6269"?>
<?rfc include="reference.RFC.6302"?>
<?rfc include="reference.RFC.6333"?>
<?rfc include="reference.I-D.ietf-behave-nat-mib"?>
<?rfc include="reference.I-D.ietf-intarea-nat-reveal-analysis"?>
<?rfc include="reference.I-D.donley-nat444-impacts"?>
<?rfc include="reference.I-D.boucadair-pcp-bittorrent"?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 19:51:55 |