draft-ietf-dime-nat-control-11.txt   draft-ietf-dime-nat-control-12.txt 
Internet Engineering Task Force F. Brockners Internet Engineering Task Force F. Brockners
Internet-Draft S. Bhandari Internet-Draft S. Bhandari
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: March 5, 2012 V. Singh Expires: April 27, 2012 V. Singh
V. Fajardo V. Fajardo
Telcordia Technologies Telcordia Technologies
September 2, 2011 October 25, 2011
Diameter Network Address and Port Translation Control Application Diameter Network Address and Port Translation Control Application
draft-ietf-dime-nat-control-11 draft-ietf-dime-nat-control-12
Abstract Abstract
This document describes the framework, messages, and procedures for This document describes the framework, messages, and procedures for
the Diameter Network address and port translation Control the Diameter Network address and port translation Control
Application. This Diameter application allows per endpoint control Application. This Diameter application allows per endpoint control
of Network Address Translators and Network Address and Port of Network Address Translators and Network Address and Port
Translators, which are added to networks to cope with IPv4-address Translators, which are added to networks to cope with IPv4-address
space depletion. This Diameter application allows external devices space depletion. This Diameter application allows external devices
to configure and manage a Network Address Translator device - to configure and manage a Network Address Translator device -
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 5, 2012. This Internet-Draft will expire on April 27, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 23 skipping to change at page 5, line 23
translation [RFC2663] as well as stateful IPv6-to-IPv4 address family translation [RFC2663] as well as stateful IPv6-to-IPv4 address family
translation translation as defined in [RFC2663], [RFC6145], and translation translation as defined in [RFC2663], [RFC6145], and
[RFC6146]. The use of a Diameter application allows for simple [RFC6146]. The use of a Diameter application allows for simple
integration into the existing Authentication, Authorization and integration into the existing Authentication, Authorization and
Accounting (AAA) environment of a provider. Accounting (AAA) environment of a provider.
The Diameter Network address and port translation Control Application The Diameter Network address and port translation Control Application
(DNCA) offers the following capabilities: (DNCA) offers the following capabilities:
1. Limits or defines the number of NAPT/NAT bindings made available 1. Limits or defines the number of NAPT/NAT bindings made available
to an individual end point or user. The main motivation for to an individual endpoint. The main motivation for restricting
restricting the number of bindings on a per end point basis is to the number of bindings on a per endpoint basis is to protect the
protect the service of the service provider against denial of service of the service provider against denial of service
service attacks. If multiple end points share a single public IP attacks. If multiple endpoints share a single public IP address,
address, these end points can share fate. If one end point would these endpoints can share fate. If one endpoint would (either
(either intentionally, or due to mis-behavior, mis-configuration, intentionally, or due to mis-behavior, mis-configuration, mal-
mal-ware, etc.) be able to consume all available bindings for a ware, etc.) be able to consume all available bindings for a given
given single public IP address, service would be hampered (or single public IP address, service would be hampered (or might
might even become unavailable) for those other end points sharing even become unavailable) for those other endpoints sharing the
the same public IP address. The efficiency of a NAPT deployment same public IP address. The efficiency of a NAPT deployment
depends on the maximum number of bindings an end point could use. depends on the maximum number of bindings an endpoint could use.
Given that the typical number of bindings an end point uses Given that the typical number of bindings an endpoint uses
depends on the type of end point (e.g. a personal computer of a depends on the type of endpoint (e.g. a personal computer of a
broadband user is expected to use a higher number of bindings broadband user is expected to use a higher number of bindings
than a simple mobile phone) and a NAPT device is often shared by than a simple mobile phone) and a NAPT device is often shared by
different types of end points, it is desirable to actively manage different types of endpoints, it is desirable to actively manage
the maximum number of bindings. This requirement is specified in the maximum number of bindings. This requirement is specified in
REQ-3 of [I-D.ietf-behave-lsn-requirements] REQ-3 of [I-D.ietf-behave-lsn-requirements]
2. Supports the allocation of specific NAPT/NAT bindings. Two types 2. Supports the allocation of specific NAPT/NAT bindings. Two types
of specific bindings can be distinguished: of specific bindings can be distinguished:
* Allocation of a pre-defined NAT binding: Both the internal and * Allocation of a pre-defined NAT binding: Both the internal and
external IP address and port pair are specified within the external IP address and port pair are specified within the
request. Some deployment cases, such as access to a web- request. Some deployment cases, such as access to a web-
server within a user's home network with IP address and port, server within a user's home network with IP address and port,
skipping to change at page 6, line 21 skipping to change at page 6, line 21
external IP address: External address pools can either be pre- external IP address: External address pools can either be pre-
assigned at the NAPT/NAT device, or specified within a request. assigned at the NAPT/NAT device, or specified within a request.
If pre-assigned address pools are used, a request needs to If pre-assigned address pools are used, a request needs to
include a reference to identify the pool. Otherwise, the request include a reference to identify the pool. Otherwise, the request
contains a description of the IP address pool(s) to be used; for contains a description of the IP address pool(s) to be used; for
example, a list of IP-subnets. Such external address pools can example, a list of IP-subnets. Such external address pools can
be used to select the external IP address in NAPT/NAT bindings be used to select the external IP address in NAPT/NAT bindings
for multiple subscribers. for multiple subscribers.
4. Generates reports and accounting records: Reports established 4. Generates reports and accounting records: Reports established
bindings for a particular user. The collected information is bindings for a particular endpoint. The collected information is
used by accounting systems for statistical purposes. used by accounting systems for statistical purposes.
5. Queries and retrieves details about bindings on demand: This 5. Queries and retrieves details about bindings on demand: This
feature complements the previously mentioned accounting feature complements the previously mentioned accounting
functionality (see item 4). This feature can be used by an functionality (see item 4). This feature can be used by an
entity to find NAT-bindings belonging to one or multiple end entity to find NAT-bindings belonging to one or multiple
points on the NAT-device. The entity is not required to create a endpoints on the NAT-device. The entity is not required to
DNCA control session to perform the query, but would obviously create a DNCA control session to perform the query, but would
still need to create a Diameter session complying to the security obviously still need to create a Diameter session complying to
requirements. the security requirements.
6. Identifies a subscriber or endpoint on multiple network devices 6. Identifies a subscriber or endpoint on multiple network devices
(NAT/NAPT device, the AAA-server, or the Network Access Server (NAT/NAPT device, the AAA-server, or the Network Access Server
(NAS)): Endpoint identification is facilitated through a Global (NAS)): Endpoint identification is facilitated through a Global
Endpoint ID. Endpoints are identified through a single or a set Endpoint ID. Endpoints are identified through a single or a set
of classifiers, such as IP address, Virtual Local Area Network of classifiers, such as IP address, Virtual Local Area Network
(VLAN) identifier, or interface identifier which uniquely (VLAN) identifier, or interface identifier which uniquely
identify the traffic associated with a particular global identify the traffic associated with a particular global
endpoint. endpoint.
With the above capabilities, DNCA qualifies as a MIDCOM protocol With the above capabilities, DNCA qualifies as a MIDCOM protocol
[RFC3303], [RFC3304], [RFC5189] for middle boxes which perform NAT. [RFC3303], [RFC3304], [RFC5189] for middle boxes which perform NAT.
The MIDCOM protocol evaluation [RFC4097] evaluated Diameter as a The MIDCOM protocol evaluation [RFC4097] evaluated Diameter as a
candidate protocol for MIDCOM. DNCA provides the extensions to the candidate protocol for MIDCOM. DNCA provides the extensions to the
Diameter base protocol [RFC3588] following the MIDCOM protocol Diameter base protocol [RFC3588] following the MIDCOM protocol
requirements, such as the support of NAT-specific rule transport, requirements, such as the support of NAT-specific rule transport,
support for oddity of mapped ports, as well as support for support for oddity of mapped ports, as well as support for
consecutive range port numbers. DNCA adds to the MIDCOM protocol consecutive range port numbers. DNCA adds to the MIDCOM protocol
capabilities in that it allows to maintain the reference to an end capabilities in that it allows to maintain the reference to an
point representing a user or subscriber in the control operation, endpoint representing a user or subscriber in the control operation,
enabling the control of the behavior of a NAT-device on a per end enabling the control of the behavior of a NAT-device on a per
point basis. Following the requirements of different operators and endpoint basis. Following the requirements of different operators
deployments, different management protocols are employed. Examples and deployments, different management protocols are employed.
include e.g. SNMP [RFC3411] and NETCONF [RFC6241] which can both be Examples include e.g. SNMP [RFC3411] and NETCONF [RFC6241] which can
used for device configuration. Similarly, DNCA is complementing both be used for device configuration. Similarly, DNCA is
existing MIDCOM implementations, offering a MIDCOM protocol option complementing existing MIDCOM implementations, offering a MIDCOM
for operators with an operational environment that is Diameter- protocol option for operators with an operational environment that is
focused which desire to use Diameter to perform per end point NAT Diameter-focused which desire to use Diameter to perform per endpoint
control. NAT control.
This document is structured as follows: Section 2 lists terminology, This document is structured as follows: Section 2 lists terminology,
while Section 3 provides an introduction to DNCA and its overall while Section 3 provides an introduction to DNCA and its overall
deployment framework. Sections 4 to 8 cover DNCA specifics, with deployment framework. Sections 4 to 8 cover DNCA specifics, with
Section 4 describing session management, Section 5 the use of the Section 4 describing session management, Section 5 the use of the
Diameter base protocol, Section 6 new commands, Section 7 Attribute Diameter base protocol, Section 6 new commands, Section 7 Attribute
Value Pairs(AVPs) used, and Section 8 accounting aspects. Section 9 Value Pairs(AVPs) used, and Section 8 accounting aspects. Section 9
presents AVP occurrence tables. IANA and security considerations are presents AVP occurrence tables. IANA and security considerations are
addressed in Sections 10 and 11. addressed in Sections 10 and 11.
skipping to change at page 7, line 36 skipping to change at page 7, line 36
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Abbreviations used in this document: Abbreviations used in this document:
AAA: Authentication, Authorization, Accounting AAA: Authentication, Authorization, Accounting
DNCA: Diameter Network address and port translation Control DNCA: Diameter Network address and port translation Control
Application Application
Endpoint: Managed entity of the DNCA. An endpoint represents a
network element or device, associated with a subscriber, a user or
a group of users. An endpoint is represented by a single access-
session on a NAS. DNCA assumes a 1:1 relationship between an
endpoint, the access-session it represents, and the associated
DNCA session.
NAPT: Network Address and Port Translation, see also [RFC3022] NAPT: Network Address and Port Translation, see also [RFC3022]
NAT: Network Address Translation (NAT and NAPT are used in this NAT: Network Address Translation (NAT and NAPT are used in this
document interchangeably) document interchangeably)
NAT-binding or binding: Association of two IP address/port pairs NAT-binding or binding: Association of two IP address/port pairs
(with one IP address typically being private and the other one (with one IP address typically being private and the other one
public) to facilitate NAT public) to facilitate NAT
NAT binding predefined template: Is a policy template or
NAT Binding Predefined template: Is a policy template or
configuration that is predefined at the NAT-device. It may configuration that is predefined at the NAT-device. It may
contain NAT-bindings, IP-address pools for allocating the external contain NAT-bindings, IP-address pools for allocating the external
IP-address of a NAT-binding, the maximum number of allowed NAT- IP-address of a NAT-binding, the maximum number of allowed NAT-
bindings for end-points, etc. bindings for end-points, etc.
NAT-device: Network Address Translator or Network Address and Port NAT-device: Network Address Translator or Network Address and Port
Translator: An entity performing NAT or NAPT. Translator: An entity performing NAT or NAPT.
NAT-controller: Entity controlling the behavior of a NAT-device. NAT-controller: Entity controlling the behavior of a NAT-device.
skipping to change at page 8, line 29 skipping to change at page 8, line 34
NAT64: IPv6 to IPv4 address family translation, see [RFC6145] and NAT64: IPv6 to IPv4 address family translation, see [RFC6145] and
[RFC6146] [RFC6146]
PPP: Point-to-Point Protocol [RFC1661] PPP: Point-to-Point Protocol [RFC1661]
3. Deployment Framework 3. Deployment Framework
3.1. Deployment Scenario 3.1. Deployment Scenario
Figure 1 shows a typical network deployment for IPv4-Internet access. Figure 1 shows a typical network deployment for IPv4-Internet access.
A user's IPv4 host gains access to the Internet though a NAS, which A user's IPv4 host (i.e. endpoint) gains access to the Internet
facilitates the authentication of the endpoint and configures the though a NAS, which facilitates the authentication of the endpoint
user's connection according to the authorization and configuration and configures the endpoints's connection according to the
data received from the AAA-server upon successful authentication. authorization and configuration data received from the AAA-server
Public IPv4 addresses are used throughout the network. upon successful authentication. Public IPv4 addresses are used
throughout the network.
+---------+ +---------+
| | | |
| AAA | | AAA |
| | | |
+---------+ +---------+
| |
| |
| |
| |
skipping to change at page 10, line 14 skipping to change at page 10, line 14
+---------+ +---------+
| | | |
| AAA | | AAA |
| | | |
+---------+ +---------+
| |
| |
| |
| |
+--------+ +---------+ +--------+ +----------+ +--------+ +---------+ +--------+ +----------+
| IPv4 |----| |----| NAT- |----| IPv4- |
| Host | | NAS | | device | | Internet |
| | | | | | | | | | | | | | | |
| Host |----| NAS |----| NAT- |----| IPv4- |
| | | | | device | | Internet |
+--------+ +---------+ +--------+ +----------+ +--------+ +---------+ +--------+ +----------+
For NAT44 deployments (IPv4 host): For NAT44 deployments (IPv4 host):
<----- Private IPv4 ----------><--- Public IPv4 ---> <----- Private IPv4 ----------><--- Public IPv4 --->
For NAT64 deployments (IPv6 host): For NAT64 deployments (IPv6 host):
<----- Public IPv6 ----------><--- Public IPv4 ---> <----- Public IPv6 ----------><--- Public IPv4 --->
Figure 2: Access network deployment with NAT Figure 2: Access network deployment with NAT
skipping to change at page 12, line 45 skipping to change at page 12, line 45
For NAT64 deployments (IPv6 host): For NAT64 deployments (IPv6 host):
<----- Public IPv6 ----------><--- Public IPv4 ---> <----- Public IPv6 ----------><--- Public IPv4 --->
Figure 3: NAT control deployment: Integrated deployment Figure 3: NAT control deployment: Integrated deployment
Figure 3 shows examples of integrated deployments. The figure Figure 3 shows examples of integrated deployments. The figure
describes two scenarios: One where an IPv4-host (with a private IPv4 describes two scenarios: One where an IPv4-host (with a private IPv4
address) accesses the IPv4-Internet, as well as one where an IPv6- address) accesses the IPv4-Internet, as well as one where an IPv6-
host accesses the IPv4-Internet. host accesses the IPv4-Internet.
The autonomous deployment approach decouples user management on the The autonomous deployment approach decouples endpoint management on
NAS and NAT-device. In the autonomous deployment approach, the AAA- the NAS and NAT-device. In the autonomous deployment approach, the
system and the NAT-device are the Diameter peers running the DNCA. AAA-system and the NAT-device are the Diameter peers running the
The AAA-system also serves as NAT-controller. It manages the DNCA. The AAA-system also serves as NAT-controller. It manages the
connection to the NAT-device, controls the per endpoint connection to the NAT-device, controls the per endpoint
configuration, and also receives accounting and reporting information configuration, and also receives accounting and reporting information
from the NAT-device. Different from the integrated deployment from the NAT-device. Different from the integrated deployment
scenario, the autonomous deployment scenario does not "hide" the scenario, the autonomous deployment scenario does not "hide" the
existence of the NAT-device from the AAA infrastructure. Here two existence of the NAT-device from the AAA infrastructure. Here two
accounting streams are received by the AAA-server for one particular accounting streams are received by the AAA-server for one particular
endpoint, one from the NAS, and one from the NAT-device. endpoint, one from the NAS, and one from the NAT-device.
+---------+ +---------+
| (C) | | (C) |
skipping to change at page 14, line 36 skipping to change at page 14, line 36
setup using a NAT-Control Answer (NCA) message with Result-Code set setup using a NAT-Control Answer (NCA) message with Result-Code set
to DIAMETER_SUCCESS. Figure 5 shows the initial protocol interaction to DIAMETER_SUCCESS. Figure 5 shows the initial protocol interaction
between the two DNCA Diameter peers. between the two DNCA Diameter peers.
The initial NAT-Control-Request MAY contain configuration information The initial NAT-Control-Request MAY contain configuration information
for the session, which specifies the behavior of the NAT-device for for the session, which specifies the behavior of the NAT-device for
the session. The configuration information that MAY be included, the session. The configuration information that MAY be included,
comprises: comprises:
o A list of NAT bindings, which should be pre-allocated for the o A list of NAT bindings, which should be pre-allocated for the
session; for example, in case a user requires a fixed external IP- session; for example, in case an endpoint requires a fixed
address/port pair for one of his applications. external IP-address/port pair for an application.
o The maximum number of NAT-bindings allowed for an endpoint. o The maximum number of NAT-bindings allowed for an endpoint.
o A description of the external IP-address pool(s) to be used for o A description of the external IP-address pool(s) to be used for
the session. the session.
o A reference to a NAT Binding Predefined template on the NAT- o A reference to a NAT Binding Predefined template on the NAT-
device, which is applied to the session. Such a NAT Binding device, which is applied to the session. Such a NAT Binding
Predefined template on the NAT-device may contain, for example, Predefined template on the NAT-device may contain, for example,
the name of the IP-address pool that external IP-addresses should the name of the IP-address pool that external IP-addresses should
skipping to change at page 28, line 21 skipping to change at page 28, line 21
Send STR Send STR
Open ASR Received, Send ASA Open Open ASR Received, Send ASA Open
access session will not with access session will not with
be terminated Result-Code be terminated Result-Code
!= SUCCESS != SUCCESS
Discon ASR Received Send ASA Idle Discon ASR Received Send ASA Idle
Discon STA Received Discon. Idle Discon STA Received Discon. Idle
user/device endpoint
The following state machine is observed by a DNCA Diameter peer The following state machine is observed by a DNCA Diameter peer
within a NAT-device. within a NAT-device.
DNCA Diameter peer within a NAT-device DNCA Diameter peer within a NAT-device
State Event Action New State State Event Action New State
------------------------------------------------------------- -------------------------------------------------------------
Idle NCR Query request Send Idle Idle NCR Query request Send Idle
received, and successful received, and successful
able to provide requested NCA able to provide requested NCA
skipping to change at page 36, line 15 skipping to change at page 36, line 15
QUERY_REQUEST (3) QUERY_REQUEST (3)
Query Request is used to query a NAT-device about the currently Query Request is used to query a NAT-device about the currently
installed bindings for an endpoint classifier. installed bindings for an endpoint classifier.
8.7.2. NAT-Control-Install AVP 8.7.2. NAT-Control-Install AVP
The NAT-Control AVP (AVP code TBD) is of type Grouped, and it is used The NAT-Control AVP (AVP code TBD) is of type Grouped, and it is used
to activate or install NAT bindings. It also contains Max-NAT- to activate or install NAT bindings. It also contains Max-NAT-
Bindings that defines the maximum number of NAT bindings allowed for Bindings that defines the maximum number of NAT bindings allowed for
an end point and the NAT-Control-Binding-Template that references a an endpoint and the NAT-Control-Binding-Template that references a
predefined template on the NAT-device that may contain static predefined template on the NAT-device that may contain static
binding, a maximum number of bindings allowed, an IP-address pool binding, a maximum number of bindings allowed, an IP-address pool
from which external binding addresses should be allocated, etc. If from which external binding addresses should be allocated, etc. If
the NAT-External-Port-Style AVP is present, then the NAT-device MUST the NAT-External-Port-Style AVP is present, then the NAT-device MUST
select the external ports for the NAT-Bindings as per the style select the external ports for the NAT-Bindings as per the style
specified. The NAT-External-Port-Style is applicable for NAT- specified. The NAT-External-Port-Style is applicable for NAT-
Bindings defined by the NAT-Control-Definition AVPs whose NAT- Bindings defined by the NAT-Control-Definition AVPs whose NAT-
External-Address or Port AVPs within the NAT-External-Address are External-Address or Port AVPs within the NAT-External-Address are
unspecified. unspecified.
skipping to change at page 44, line 38 skipping to change at page 44, line 38
all datagrams received from the originator. Lack of authentication all datagrams received from the originator. Lack of authentication
of Diameter messages between the Diameter peers can jeopardize the of Diameter messages between the Diameter peers can jeopardize the
fundamental service of the peering network elements. A consequence fundamental service of the peering network elements. A consequence
of not authenticating the message sender by the recipient would be of not authenticating the message sender by the recipient would be
that an attacker could spoof the identity of a "legitimate" that an attacker could spoof the identity of a "legitimate"
authorizing entity in order to change the behavior of the receiver. authorizing entity in order to change the behavior of the receiver.
An attacker could for example launch a denial of service attack by An attacker could for example launch a denial of service attack by
setting the maximum number of bindings for a session on the NAT- setting the maximum number of bindings for a session on the NAT-
device to zero; provision bindings on a NAT-device which include IP- device to zero; provision bindings on a NAT-device which include IP-
addresses already in use in other parts of the network; or request addresses already in use in other parts of the network; or request
session termination of the Diameter session and hamper a user's session termination of the Diameter session and hamper an endpoints's
connectivity. Lack of authentication of a NAT-device to a NAT- (i.e. a user's) connectivity. Lack of authentication of a NAT-device
controller could lead to situations where the NAT-device could to a NAT-controller could lead to situations where the NAT-device
provide a wrong view of the resources (i.e. NAT-bindings). In could provide a wrong view of the resources (i.e. NAT-bindings). In
addition, NAT Binding Predefined template on the NAT-device could be addition, NAT Binding Predefined template on the NAT-device could be
configured differently than expected by the NAT-controller. Failing configured differently than expected by the NAT-controller. Failing
of any of the two DNCA Diameter peers to provide the required of any of the two DNCA Diameter peers to provide the required
credentials should be subject to logging. The corresponding logging credentials should be subject to logging. The corresponding logging
infrastructure of the operator SHOULD be built in a way that it can infrastructure of the operator SHOULD be built in a way that it can
mitigate potential denial of service attacks resulting from large mitigate potential denial of service attacks resulting from large
amounts of logging events. This could include proper dimensioning of amounts of logging events. This could include proper dimensioning of
the logging infrastructure combined with policing the maximum amount the logging infrastructure combined with policing the maximum amount
of logging events accepted by the logging system to a threshold which of logging events accepted by the logging system to a threshold which
the system is known to be able to handle. the system is known to be able to handle.
skipping to change at page 46, line 8 skipping to change at page 46, line 8
devices could store local authentication policy, listing the devices could store local authentication policy, listing the
identities of authorized peers. identities of authorized peers.
Any mechanism or protocol providing control of a NAT-device, and DNCA Any mechanism or protocol providing control of a NAT-device, and DNCA
is an example of such a control mechanism, could allow for misuse of is an example of such a control mechanism, could allow for misuse of
the NAT-device given that it enables the definition of per- the NAT-device given that it enables the definition of per-
destination or per-source rules. Misuse could include anti- destination or per-source rules. Misuse could include anti-
competitive practices among providers, censorship, crime, etc. NAT- competitive practices among providers, censorship, crime, etc. NAT-
control could be used as a tool for preventing or redirecting access control could be used as a tool for preventing or redirecting access
to particular sites. For instance, by controlling the NAT bindings, to particular sites. For instance, by controlling the NAT bindings,
one could ensure that end points aren't able to receive particular one could ensure that endpoints aren't able to receive particular
flows, or that those flows are redirected to a relay that snoops or flows, or that those flows are redirected to a relay that snoops or
tampers with traffic instead of directly forwarding the traffic to tampers with traffic instead of directly forwarding the traffic to
the intended end point. In addition one could set up a binding in a the intended endpoint. In addition one could set up a binding in a
way that the source IP address used is one of a relay so that traffic way that the source IP address used is one of a relay so that traffic
coming back can be snooped on or interfered with. The protections on coming back can be snooped on or interfered with. The protections on
DNCA and its Diameter protocol exchanges don't prevent such abuses of DNCA and its Diameter protocol exchanges don't prevent such abuses of
NAT-control. A service provider deploying DNCA needs to make sure NAT-control. A service provider deploying DNCA needs to make sure
that higher layer processes and procedures are put in place which that higher layer processes and procedures are put in place which
allow them to detect and mitigate misuses. allow them to detect and mitigate misuses.
13. Examples 13. Examples
This section shows example DNCA message content and exchange. This section shows example DNCA message content and exchange.
13.1. DNCA Session Establishment Example 13.1. DNCA Session Establishment Example
Figure 15 depicts a typical call flow for DNCA session establishment. Figure 15 depicts a typical call flow for DNCA session establishment.
In this example, the NAT-controller: In this example, the NAT-controller:
a. requests a maximum of 100 NAT-bindings for the end point. a. requests a maximum of 100 NAT-bindings for the endpoint.
b. defines a static binding for a TCP connection which associates b. defines a static binding for a TCP connection which associates
the internal IP-Address:Port 192.0.2.1:80 with the external IP- the internal IP-Address:Port 192.0.2.1:80 with the external IP-
Address:Port 198.51.100.1:80 for the end point. Address:Port 198.51.100.1:80 for the endpoint.
c. requests the use of a preconfigured template called "local- c. requests the use of a preconfigured template called "local-
policy" while creating NAT-bindings for the end point. policy" while creating NAT-bindings for the endpoint.
end point NAT-Controller (within NAS) NAT-device endpoint NAT-Controller (within NAS) NAT-device
| | | | | |
| | | | | |
| 1. Trigger | | | 1. Trigger | |
|--------------------------->| | |--------------------------->| |
| +-------------------------------------+ | | +-------------------------------------+ |
| | 2. Determine that NAT control | | | | 2. Determine that NAT control | |
| | is required for the end point | | | | is required for the endpoint | |
| +-------------------------------------+ | | +-------------------------------------+ |
| | | | | |
| | | | | |
| ................................... | ...................................
| .| 3. Diameter Base CER/CEA |. | .| 3. Diameter Base CER/CEA |.
| .|<----------------------------->|. | .|<----------------------------->|.
| ................................... | ...................................
| | | | | |
| | | | | |
| | 4. NCR | | | 4. NCR |
| |------------------------------>| | |------------------------------>|
| | | | | |
| | 5. DNCA session | | 5. DNCA session
| | established | | established
| | | | | |
| | 6. NCA | | | 6. NCA |
| |<------------------------------| | |<------------------------------|
| | | | | |
| | | | | |
| 7. Data traffic | | 7. Data traffic |
|----------------------------------------------------------->| |----------------------------------------------------------->|
| | | | | |
| | | | | |
| | 8. NAT Bindings | | 8. NAT Bindings
| | created as per | | created as per
| | directives in the | | directives in the
| | DNCA session | | DNCA session
| | | | | |
Figure 15: Initial NAT control request and session establishment Figure 15: Initial NAT control request and session establishment
example example
Detailed description of the steps shown in Figure 15: Detailed description of the steps shown in Figure 15:
1. The NAT-controller (co-located with the NAS here) creates state 1. The NAT-controller (co-located with the NAS here) creates state
for an end point based on a trigger. This could for example be for an endpoint based on a trigger. This could for example be
the successful establishment of a Point-to-Point Protocol (PPP) the successful establishment of a Point-to-Point Protocol (PPP)
[RFC1661] access session. [RFC1661] access session.
2. Based on the configuration of the DNCA Diameter peer within the 2. Based on the configuration of the DNCA Diameter peer within the
NAT-controller, the NAT-controller determines that NAT-control is NAT-controller, the NAT-controller determines that NAT-control is
required and is to be enforced at a NAT-device. required and is to be enforced at a NAT-device.
3. If there is no Diameter session already established with the DNCA 3. If there is no Diameter session already established with the DNCA
Diameter peer within NAT-device, a Diameter connection is Diameter peer within NAT-device, a Diameter connection is
established and Diameter Base CER/CEA are exchanged. established and Diameter Base CER/CEA are exchanged.
4. The NAT-Controller creates an NCR message (see below) and sends 4. The NAT-Controller creates an NCR message (see below) and sends
it to the NAT-device. This example shows IPv4 to IPv4 address it to the NAT-device. This example shows IPv4 to IPv4 address
and port translation. For IPv6 to IPv4 translation, the Framed- and port translation. For IPv6 to IPv4 translation, the Framed-
IP-Address AVP would be replaced by the Framed-IPv6-Address AVP IP-Address AVP would be replaced by the Framed-IPv6-Address AVP
with the value set to the IPv6 address of the end point. with the value set to the IPv6 address of the endpoint.
< NC-Request > ::= < Diameter Header: TBD, REQ, PXY> < NC-Request > ::= < Diameter Header: TBD, REQ, PXY>
Session-Id = "natC.example.com:33041;23432;" Session-Id = "natC.example.com:33041;23432;"
Auth-Application-Id = <DNCA Application ID> Auth-Application-Id = <DNCA Application ID>
Origin-Host = "natC.example.com" Origin-Host = "natC.example.com"
Origin-Realm = "example.com" Origin-Realm = "example.com"
Destination-Realm = "example.com" Destination-Realm = "example.com"
Destination-Host = "nat-device.example.com" Destination-Host = "nat-device.example.com"
NC-Request-Type = INITIAL_REQUEST NC-Request-Type = INITIAL_REQUEST
User-Name = "subscriber_example1" User-Name = "subscriber_example1"
Framed-IP-Address = "192.0.2.1" Framed-IP-Address = "192.0.2.1"
skipping to change at page 49, line 12 skipping to change at page 49, line 12
6. The NAT-device sends an NCA to indicate the successful completion 6. The NAT-device sends an NCA to indicate the successful completion
of the request. of the request.
<NC-Answer> ::= < Diameter Header: TBD, PXY > <NC-Answer> ::= < Diameter Header: TBD, PXY >
Session-Id = "natC.example.com:33041;23432;" Session-Id = "natC.example.com:33041;23432;"
Origin-Host = "nat-device.example.com" Origin-Host = "nat-device.example.com"
Origin-Realm = "example.com" Origin-Realm = "example.com"
NC-Request-Type = INITIAL_REQUEST NC-Request-Type = INITIAL_REQUEST
Result-Code = DIAMETER_SUCCESS Result-Code = DIAMETER_SUCCESS
7. The end point sends packets that reach the NAT-device. 7. The endpoint sends packets that reach the NAT-device.
8. The NAT-device performs NAT for traffic received from the end 8. The NAT-device performs NAT for traffic received from the
point with source address 192.0.2.1. Traffic with source IP- endpoint with source address 192.0.2.1. Traffic with source IP-
address 192.0.2.1 and port 80 are translated to the external IP- address 192.0.2.1 and port 80 are translated to the external IP-
address 198.51.100.1 and port 80. Traffic with source IP-address address 198.51.100.1 and port 80. Traffic with source IP-address
192.0.2.1 and a source port different from 80 will be translated 192.0.2.1 and a source port different from 80 will be translated
to IP-address 198.51.100.1 and a port chosen by the NAT-device. to IP-address 198.51.100.1 and a port chosen by the NAT-device.
Note that this example assumes that the NAT-device follows Note that this example assumes that the NAT-device follows
typical binding allocation rules for end points, in that only a typical binding allocation rules for endpoints, in that only a
single external IP-address is used for all traffic received from single external IP-address is used for all traffic received from
a single IP-address of an end point. The NAT-device will allow a a single IP-address of an endpoint. The NAT-device will allow a
maximum of 100 NAT-bindings be created for the end point. maximum of 100 NAT-bindings be created for the endpoint.
13.2. DNCA Session Update with Port Style Example 13.2. DNCA Session Update with Port Style Example
This section gives an example for a DNCA session update: A new set of This section gives an example for a DNCA session update: A new set of
NAT-bindings is requested for an existing session. The request NAT-bindings is requested for an existing session. The request
contains a directive ( the "NAT-External-Port-Style" AVP set to contains a directive ( the "NAT-External-Port-Style" AVP set to
FOLLOW_INTERNAL_PORT_STYLE) that directs the NAT-device to maintain FOLLOW_INTERNAL_PORT_STYLE) that directs the NAT-device to maintain
port-sequence and port-oddity for the newly created NAT-bindings. In port-sequence and port-oddity for the newly created NAT-bindings. In
the example shown, the internal ports are UDP port 1036 and 1037. the example shown, the internal ports are UDP port 1036 and 1037.
The NAT-device follows the directive selects the external ports The NAT-device follows the directive selects the external ports
skipping to change at page 52, line 5 skipping to change at page 52, line 5
Port = 5057 Port = 5057
} }
Session-Id = "natC.example.com:33041;23432;" Session-Id = "natC.example.com:33041;23432;"
} }
13.4. DNCA Session Termination Example 13.4. DNCA Session Termination Example
In this example the NAT-controller decides to terminate the In this example the NAT-controller decides to terminate the
previously established DNCA session. This could for example be the previously established DNCA session. This could for example be the
case as a result of an access session (e.g. a PPP session) associated case as a result of an access session (e.g. a PPP session) associated
with an end point been torn down. with an endpoint been torn down.
NAT-Controller NAT-device NAT-Controller NAT-device
| | | |
| | | |
+--------------+ | +--------------+ |
| 1. Trigger | | | 1. Trigger | |
+--------------+ | +--------------+ |
| | | |
| | | |
| 2. STR | | 2. STR |
skipping to change at page 52, line 40 skipping to change at page 52, line 40
| 7. STA | | 7. STA |
|<--------------------------------------| |<--------------------------------------|
| | | |
Figure 20: NAT control session termination example Figure 20: NAT control session termination example
The following steps describe the sequence of events for tearing down The following steps describe the sequence of events for tearing down
the DNCA session in the example above: the DNCA session in the example above:
1. The NAT-controller receives a trigger that a DNCA session 1. The NAT-controller receives a trigger that a DNCA session
associated with a specific end point should be terminated. An associated with a specific endpoint should be terminated. An
example event could be the termination of the PPP [RFC1661] example event could be the termination of the PPP [RFC1661]
access session to an end point in a NAS. The NAS correspondingly access session to an endpoint in a NAS. The NAS correspondingly
triggers the NAT-controller request tear-down of the associated triggers the NAT-controller request tear-down of the associated
DNCA session. DNCA session.
2. The NAT-controller creates the required NCR message and sends it 2. The NAT-controller creates the required NCR message and sends it
to the NAT-device: to the NAT-device:
< STR > ::= < Diameter Header: 275, REQ, PXY> < STR > ::= < Diameter Header: 275, REQ, PXY>
Session-Id = "natC.example.com:33041;23432;" Session-Id = "natC.example.com:33041;23432;"
Auth-Application-Id = <DNCA Application ID> Auth-Application-Id = <DNCA Application ID>
Origin-Host = "natC.example.com" Origin-Host = "natC.example.com"
skipping to change at page 54, line 14 skipping to change at page 54, line 14
<ACA> ::= < Diameter Header: 271, PXY > <ACA> ::= < Diameter Header: 271, PXY >
Session-Id = "natC.example.com:33041;23432;" Session-Id = "natC.example.com:33041;23432;"
Origin-Host = "natC.example.com" Origin-Host = "natC.example.com"
Origin-Realm = "example.com" Origin-Realm = "example.com"
Result-Code = DIAMETER_SUCCESS Result-Code = DIAMETER_SUCCESS
Accounting-Record-Type = STOP_RECORD Accounting-Record-Type = STOP_RECORD
Accounting-Record-Number = 1 Accounting-Record-Number = 1
6. On receipt of the ACA the NAT-device cleans up all NAT-bindings 6. On receipt of the ACA the NAT-device cleans up all NAT-bindings
and associated session state for the end point. and associated session state for the endpoint.
7. NAT-device sends an STA. On receipt of the STA the NAT- 7. NAT-device sends an STA. On receipt of the STA the NAT-
controller will clean up the corresponding session state. controller will clean up the corresponding session state.
<STA> ::= < Diameter Header: TBD, PXY > <STA> ::= < Diameter Header: TBD, PXY >
Session-Id = "natC.example.com:33041;23432;" Session-Id = "natC.example.com:33041;23432;"
Origin-Host = "nat-device.example.com" Origin-Host = "nat-device.example.com"
Origin-Realm = "example.com" Origin-Realm = "example.com"
Result-Code = DIAMETER_SUCCESS Result-Code = DIAMETER_SUCCESS
14. Acknowledgements 14. Acknowledgements
skipping to change at page 56, line 20 skipping to change at page 56, line 20
or NAT-device) or NAT-device)
d. IANA consideration Section format changes d. IANA consideration Section format changes
e. Updated security section (included considerations directly, e. Updated security section (included considerations directly,
rather than referring to Diameter QoS similarities). rather than referring to Diameter QoS similarities).
Changes from -08 to -09 Changes from -08 to -09
a. expanded on the need for an SP controlling the maximum number of a. expanded on the need for an SP controlling the maximum number of
bindings of an end point (see introduction section) bindings of an endpoint (see introduction section)
b. added a paragraph in the security section outlining general mis- b. added a paragraph in the security section outlining general mis-
uses of NAT-control (non specific to DNCA), with DNCA being an uses of NAT-control (non specific to DNCA), with DNCA being an
example of such a NAT-control protocol example of such a NAT-control protocol
c. editorial changes c. editorial changes
Changes from -09 to -10 Changes from -09 to -10
a. Section 4 and security considerations updated with RFC 2119 a. Section 4 and security considerations updated with RFC 2119
skipping to change at page 57, line 40 skipping to change at page 57, line 40
[RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M., [RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M.,
and A. Lior, "Traffic Classification and Quality of and A. Lior, "Traffic Classification and Quality of
Service (QoS) Attributes for Diameter", RFC 5777, Service (QoS) Attributes for Diameter", RFC 5777,
February 2010. February 2010.
16.2. Informative References 16.2. Informative References
[I-D.ietf-behave-lsn-requirements] [I-D.ietf-behave-lsn-requirements]
Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
and H. Ashida, "Common requirements for Carrier Grade NAT and H. Ashida, "Common requirements for Carrier Grade NAT
(CGN)", draft-ietf-behave-lsn-requirements-03 (work in (CGN)", draft-ietf-behave-lsn-requirements-04 (work in
progress), August 2011. progress), October 2011.
[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51,
RFC 1661, July 1994. RFC 1661, July 1994.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, August 1999. RFC 2663, August 1999.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
 End of changes. 37 change blocks. 
112 lines changed or deleted 119 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/