draft-ietf-dime-nat-control-10.txt   draft-ietf-dime-nat-control-11.txt 
skipping to change at page 1, line 13 skipping to change at page 1, line 13
Internet Engineering Task Force F. Brockners Internet Engineering Task Force F. Brockners
Internet-Draft S. Bhandari Internet-Draft S. Bhandari
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: March 5, 2012 V. Singh Expires: March 5, 2012 V. Singh
V. Fajardo V. Fajardo
Telcordia Technologies Telcordia Technologies
September 2, 2011 September 2, 2011
Diameter Network Address and Port Translation Control Application Diameter Network Address and Port Translation Control Application
draft-ietf-dime-nat-control-10 draft-ietf-dime-nat-control-11
Abstract Abstract
This document describes the framework, messages, and procedures for This document describes the framework, messages, and procedures for
the Diameter Network address and port translation Control the Diameter Network address and port translation Control
Application. This Diameter application allows per endpoint control Application. This Diameter application allows per endpoint control
of Network Address Translators and Network Address and Port of Network Address Translators and Network Address and Port
Translators, which are added to networks to cope with IPv4-address Translators, which are added to networks to cope with IPv4-address
space depletion. This Diameter application allows external devices space depletion. This Diameter application allows external devices
to configure and manage a Network Address Translator device - to configure and manage a Network Address Translator device -
skipping to change at page 3, line 12 skipping to change at page 3, line 12
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Deployment Framework . . . . . . . . . . . . . . . . . . . . . 8 3. Deployment Framework . . . . . . . . . . . . . . . . . . . . . 8
3.1. Deployment Scenario . . . . . . . . . . . . . . . . . . . 8 3.1. Deployment Scenario . . . . . . . . . . . . . . . . . . . 8
3.2. Diameter NAPT Control Application Overview . . . . . . . . 10 3.2. Diameter NAPT Control Application Overview . . . . . . . . 10
3.3. Deployment Scenarios For DNCA . . . . . . . . . . . . . . 10 3.3. Deployment Scenarios For DNCA . . . . . . . . . . . . . . 11
4. DNCA Session Establishment and Management . . . . . . . . . . 13 4. DNCA Session Establishment and Management . . . . . . . . . . 13
4.1. Session Establishment . . . . . . . . . . . . . . . . . . 13 4.1. Session Establishment . . . . . . . . . . . . . . . . . . 14
4.2. Session Re-Authorization . . . . . . . . . . . . . . . . . 16 4.2. Session Re-Authorization . . . . . . . . . . . . . . . . . 16
4.3. Session and Binding Query . . . . . . . . . . . . . . . . 18 4.3. Session and Binding Query . . . . . . . . . . . . . . . . 18
4.4. Session Termination . . . . . . . . . . . . . . . . . . . 20 4.4. Session Termination . . . . . . . . . . . . . . . . . . . 20
4.5. Session Abort . . . . . . . . . . . . . . . . . . . . . . 21 4.5. Session Abort . . . . . . . . . . . . . . . . . . . . . . 21
4.6. Failure cases of the DNCA Diameter peers . . . . . . . . . 22 4.6. Failure cases of the DNCA Diameter peers . . . . . . . . . 22
5. Use of the Diameter Base Protocol . . . . . . . . . . . . . . 23 5. Use of the Diameter Base Protocol . . . . . . . . . . . . . . 23
5.1. Securing Diameter Messages . . . . . . . . . . . . . . . . 23 5.1. Securing Diameter Messages . . . . . . . . . . . . . . . . 23
5.2. Accounting Functionality . . . . . . . . . . . . . . . . . 24 5.2. Accounting Functionality . . . . . . . . . . . . . . . . . 24
5.3. Use of Sessions . . . . . . . . . . . . . . . . . . . . . 24 5.3. Use of Sessions . . . . . . . . . . . . . . . . . . . . . 24
5.4. Routing Considerations . . . . . . . . . . . . . . . . . . 24 5.4. Routing Considerations . . . . . . . . . . . . . . . . . . 24
skipping to change at page 6, line 29 skipping to change at page 6, line 29
4. Generates reports and accounting records: Reports established 4. Generates reports and accounting records: Reports established
bindings for a particular user. The collected information is bindings for a particular user. The collected information is
used by accounting systems for statistical purposes. used by accounting systems for statistical purposes.
5. Queries and retrieves details about bindings on demand: This 5. Queries and retrieves details about bindings on demand: This
feature complements the previously mentioned accounting feature complements the previously mentioned accounting
functionality (see item 4). This feature can be used by an functionality (see item 4). This feature can be used by an
entity to find NAT-bindings belonging to one or multiple end entity to find NAT-bindings belonging to one or multiple end
points on the NAT-device. The entity is not required to create a points on the NAT-device. The entity is not required to create a
DNCA control session to perform the query. DNCA control session to perform the query, but would obviously
still need to create a Diameter session complying to the security
requirements.
6. Identifies a subscriber or endpoint on multiple network devices 6. Identifies a subscriber or endpoint on multiple network devices
(NAT/NAPT device, the AAA-server, or the Network Access Server (NAT/NAPT device, the AAA-server, or the Network Access Server
(NAS)): Endpoint identification is facilitated through a Global (NAS)): Endpoint identification is facilitated through a Global
Endpoint ID. Endpoints are identified through a single or a set Endpoint ID. Endpoints are identified through a single or a set
of classifiers, such as IP address, Virtual Local Area Network of classifiers, such as IP address, Virtual Local Area Network
(VLAN) identifier, or interface identifier which uniquely (VLAN) identifier, or interface identifier which uniquely
identify the traffic associated with a particular global identify the traffic associated with a particular global
endpoint. endpoint.
skipping to change at page 17, line 37 skipping to change at page 17, line 37
o If the NAT-device does not have sufficient resources to process a o If the NAT-device does not have sufficient resources to process a
request, an NCA with Result-Code set to RESOURCE_FAILURE MUST be request, an NCA with Result-Code set to RESOURCE_FAILURE MUST be
returned. returned.
o If an NCR redefines the maximum number of NAT-bindings allowed for o If an NCR redefines the maximum number of NAT-bindings allowed for
the endpoint, the new value MUST override any previously defined the endpoint, the new value MUST override any previously defined
limit on NAT bindings. It depends on the implementation of the limit on NAT bindings. It depends on the implementation of the
NAT-device on how the NAT-device copes with a case where the new NAT-device on how the NAT-device copes with a case where the new
value is lower than the actual number of allocated bindings. The value is lower than the actual number of allocated bindings. The
NAT-device MAY refrain from enforcing the new limit immediately NAT-device SHOULD refrain from enforcing the new limit immediately
(that is, actively remove bindings), but rather disallows the (that is, actively remove bindings), but rather disallows the
establishment of new bindings until the current number of bindings establishment of new bindings until the current number of bindings
is lower than the newly established maximum number of allowed is lower than the newly established maximum number of allowed
bindings. bindings.
o If an NCR specifies a new NAT Binding Predefined template on the o If an NCR specifies a new NAT Binding Predefined template on the
NAT-device, the NAT Binding Predefined template overrides any NAT-device, the NAT Binding Predefined template overrides any
previously defined rule for the session. previously defined rule for the session. Existing NAT-bindings
SHOULD NOT be impacted by the change of templates.
o In case Max-NAT-Binding, NAT-Control-Definition as well as NAT- o In case Max-NAT-Binding, NAT-Control-Definition as well as NAT-
Control-Binding-Template are included in the NCR, and the values Control-Binding-Template are included in the NCR, and the values
in Max-NAT-Binding and NAT-Control-Definition contradict those in Max-NAT-Binding and NAT-Control-Definition contradict those
specified in the pre-provisioned template on the NAT-device which specified in the pre-provisioned template on the NAT-device which
NAT-Control-Binding-Template references, Max-NAT-Binding and NAT- NAT-Control-Binding-Template references, Max-NAT-Binding and NAT-
Control-Definition MUST override the values specified in the Control-Definition MUST override the values specified in the
template that the NAT-Control-Binding-Template refers to. template that the NAT-Control-Binding-Template refers to.
Note: Already established bindings for the session SHOULD NOT be Note: Already established bindings for the session SHOULD NOT be
skipping to change at page 20, line 37 skipping to change at page 20, line 37
4.4. Session Termination 4.4. Session Termination
Similar to session initiation, session tear down MUST be initiated by Similar to session initiation, session tear down MUST be initiated by
the DNCA Diameter peer within the NAT-controller. The DNCA Diameter the DNCA Diameter peer within the NAT-controller. The DNCA Diameter
peer sends a Session Terminate Request (STR) message to its peer peer sends a Session Terminate Request (STR) message to its peer
within the NAT-device upon receiving a trigger signal. The source of within the NAT-device upon receiving a trigger signal. The source of
the trigger signal is outside the scope of this document. As part of the trigger signal is outside the scope of this document. As part of
STR message processing the DNCA Diameter peer within the NAT-device STR message processing the DNCA Diameter peer within the NAT-device
MAY send an accounting stop record reporting all bindings. All the MAY send an accounting stop record reporting all bindings. All the
NAT-bindings belonging to the session are removed and the session NAT-bindings belonging to the session MUST be removed and the session
state is cleaned up. The DNCA Diameter peer within the NAT-device state MUST be cleaned up. The DNCA Diameter peer within the NAT-
MUST notify its DNCA Diameter peer in the NAT-controller about device MUST notify its DNCA Diameter peer in the NAT-controller about
successful session termination using a Session Terminate Answer (STA) successful session termination using a Session Terminate Answer (STA)
message with Result-Code set to DIAMETER_SUCCESS. Figure 8 shows the message with Result-Code set to DIAMETER_SUCCESS. Figure 8 shows the
protocol interaction between the two DNCA Diameter peers. protocol interaction between the two DNCA Diameter peers.
If a DNCA Diameter peer within a NAT-device receives a STR and fails If a DNCA Diameter peer within a NAT-device receives a STR and fails
to find a matching session, the DNCA Diameter peer MUST return a STA to find a matching session, the DNCA Diameter peer MUST return a STA
with Result-Code set to DIAMETER_UNKNOWN_SESSION_ID. with Result-Code set to DIAMETER_UNKNOWN_SESSION_ID.
NAT-controller (DNCA Diameter peer) NAT-device (DNCA Diameter peer) NAT-controller (DNCA Diameter peer) NAT-device (DNCA Diameter peer)
| | | |
skipping to change at page 32, line 33 skipping to change at page 32, line 33
| AVP Flag rules | | AVP Flag rules |
+------------------+------+------------|----+-----+----+-----|----+ +------------------+------+------------|----+-----+----+-----|----+
| | AVP | | | |SHLD| MUST| | | | AVP | | | |SHLD| MUST| |
| Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr| | Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr|
|------------------|------|------------|----+-----+----+-----|----| |------------------|------|------------|----+-----+----+-----|----|
| NAS-Port | 5 | Unsigned32 | M | P | | V | Y | | NAS-Port | 5 | Unsigned32 | M | P | | V | Y |
| NAS-Port-Id | 87 | UTF8String | M | P | | V | Y | | NAS-Port-Id | 87 | UTF8String | M | P | | V | Y |
| Calling-Station- | 31 | UTF8String | M | P | | V | Y | | Calling-Station- | 31 | UTF8String | M | P | | V | Y |
| Id | | | | | | | | | Id | | | | | | | |
| Framed-IP-Address| 8 | OctetString| M | P | | V | Y | | Framed-IP-Address| 8 | OctetString| M | P | | V | Y |
| Framed-IP-Netmask| 9 | OctetString| M | P | | V | Y |
| Framed-Interface-| 96 | Unsigned64 | M | P | | V | Y | | Framed-Interface-| 96 | Unsigned64 | M | P | | V | Y |
| Id | | | | | | | | | Id | | | | | | | |
| Framed-IPv6- | 97 | OctetString| M | P | | V | Y | | Framed-IPv6- | 97 | OctetString| M | P | | V | Y |
| Prefix | | | | | | | | | Prefix | | | | | | | |
+------------------+------+------------|----+-----+----+-----|----+ +------------------+------+------------|----+-----+----+-----|----+
Table 2: Reused NASREQ Diameter application AVPs Table 2: Reused NASREQ Diameter application AVPs
8.4. Reused AVPs from RFC 4675 8.4. Reused AVPs from RFC 4675
The following table describes the AVPs reused from "RADIUS Attributes The following table describes the AVPs reused from "RADIUS Attributes
skipping to change at page 37, line 51 skipping to change at page 37, line 51
AVP format: AVP format:
NAT-Internal-Address ::= < AVP Header: TBD > NAT-Internal-Address ::= < AVP Header: TBD >
[ Framed-IP-Address ] [ Framed-IP-Address ]
[ Framed-IPv6-Prefix ] [ Framed-IPv6-Prefix ]
[ Port] [ Port]
* [ AVP ] * [ AVP ]
8.7.6. NAT-External-Address AVP 8.7.6. NAT-External-Address AVP
The NAT-External-Address AVP (AVP code TBD) is of type Grouped, and The NAT-External-Address AVP (AVP code TBD) is of type Grouped, and
it describes the external IP-address and port for a binding. Framed- it describes the external IP-address and port for a binding. The
IP-Netmask AVP can only be specified when the Framed-IP-Address AVP external IP-address specified in this attribute can be reused for
is present. The external IP-address specified in this attribute can multiple endpoints by specifying the same address in the respective
be reused for multiple endpoints by specifying the same address in NAT-External-Address AVPs. If the external IP-address is not
the respective NAT-External-Address AVPs. If the external IP-address specified and the NAT-External-Port-Style AVP is specified in the
is not specified and the NAT-External-Port-Style AVP is specified in NAT-Control-Definition AVP then the NAT-device MUST select external
the NAT-Control-Definition AVP then the NAT-device MUST select port as per the NAT-External-Port-Style AVP.
external port as per the NAT-External-Port-Style AVP.
AVP format: AVP format:
NAT-External-Address ::= < AVP Header: TBD > NAT-External-Address ::= < AVP Header: TBD >
[ Framed-IP-Address ] [ Framed-IP-Address ]
[ Framed-IP-Netmask ]
[ Port ] [ Port ]
* [ AVP ] * [ AVP ]
8.7.7. Max-NAT-Bindings 8.7.7. Max-NAT-Bindings
The Max-NAT-Bindings AVP (AVP code TBD) is of type Unsigned32. It The Max-NAT-Bindings AVP (AVP code TBD) is of type Unsigned32. It
indicates the maximum number of NAT-bindings allowed for a particular indicates the maximum number of NAT-bindings allowed for a particular
endpoint. endpoint.
8.7.8. NAT-Control-Binding-Template AVP 8.7.8. NAT-Control-Binding-Template AVP
skipping to change at page 45, line 36 skipping to change at page 45, line 36
traffic analysis. traffic analysis.
Diameter offers security mechanisms to deal with the functionality Diameter offers security mechanisms to deal with the functionality
demanded above. DNCA makes use of the capabilities offered by demanded above. DNCA makes use of the capabilities offered by
Diameter and the underlying transport protocols to deliver these Diameter and the underlying transport protocols to deliver these
requirements (see Section 5.1). If the DNCA communication traverses requirements (see Section 5.1). If the DNCA communication traverses
untrusted networks, messages between DNCA Diameter peers SHOULD be untrusted networks, messages between DNCA Diameter peers SHOULD be
secured using either IPsec or TLS. Please refer to [RFC3588], secured using either IPsec or TLS. Please refer to [RFC3588],
section 13 for details. DNCA Diameter peers SHOULD perform bilateral section 13 for details. DNCA Diameter peers SHOULD perform bilateral
authentication, authorization as well as procedures to ensure authentication, authorization as well as procedures to ensure
integrity and confidentiality of the information exchange. integrity and confidentiality of the information exchange. In
addition the Session-Id chosen for a particular Diameter session
SHOULD be chosen in a way that it is hard to guess in order to
mitigate issues through potential message replay.
DNCA Diameter peers SHOULD have a mutual trust setup. This document DNCA Diameter peers SHOULD have a mutual trust setup. This document
does not specify a mechanisms for authorization between the DNCA does not specify a mechanisms for authorization between the DNCA
Diameter peers. The DNCA Diameter peers SHOULD be provided with Diameter peers. The DNCA Diameter peers SHOULD be provided with
sufficient information to make an authorization decision. The sufficient information to make an authorization decision. The
information can come from various sources, for example the peering information can come from various sources, for example the peering
devices could store local authentication policy, listing the devices could store local authentication policy, listing the
identities of authorized peers. identities of authorized peers.
Any mechanism or protocol providing control of a NAT-device, and DNCA Any mechanism or protocol providing control of a NAT-device, and DNCA
 End of changes. 11 change blocks. 
20 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/