Network working group D. Cheng Internet Draft Huawei Technologies Category: Standards Track Expires: August 28, 2011 February 28, 2011 RADIUS Extensions for NAT Forwarding Port draft-cheng-behave-nat-fwd-port-radius-ext-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Cheng Expires August 28 2011 [Page 1] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 Abstract This memo proposes two new RADIUS attributes with each to carry an Internal Port number and a Configured External Port number, both are associated with a specific NAT device and a specific user, and are configured on a RADIUS server such that when the user requests an Internet connection, the port mapping information can be conveyed to NAS that co-locates with the NAT device via RADIUS protocol, and is used during the NAT operation for IP flows to and from that user. The two attributes also include an IPv4 address or IPv6 address, respectively, as the pinhole internal IP address at the NAT device. Table of Contents 1. Introduction....................................................2 2. Terminology.....................................................3 3. Operation.......................................................3 4. RADIUS Attributes...............................................5 5. Table of Attributes.............................................7 6. Security........................................................8 7. IANA Considerations.............................................8 8. Acknowledgements................................................8 9. References......................................................8 9.1. Normative References.......................................8 9.2. Informative References.....................................8 10. Authors' Addresses.............................................9 1. Introduction In most of the scenarios, the port mapping on a NAT device is dynamically created when the IP packets of an IP connection initiated by a user arrives. For some applications, the port mapping needs to be pre-defined allowing IP packets of applications from outside a NAT device to pass through and "port forwarded" to the correct user located behind the NAT device. Port Control Protocol or PCP ([I-D.draft-ietf-pcp-base]), provides a mechanism to create pinholes from an external IP address to an internal IP address and port on a NAT device just to achieve the "port forwarding" purpose. PCP is a server-client protocol capable of creating or deleting a pinhole along with a rich set of features on a NAT device in dynamic fashion. In some deployment, all users need is a few, typically just one pre-configured port mapping for applications such Cheng Expires August 28 2011 [Page 2] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 as web cam at home, and the lifetime of such a port mapping remains valid throughout the duration of the customer's Internet service connection time. In such an environment, it is possible to statically configure a port mapping on the RADIUS server for a user and let the RADIUS protocol to propagate the information to the associated NAT device. In a broadband network, customer information is usually stored on a RADIUS server and at the time when a user initiates an Internet service request, the RADIUS server will populate the user's configuration information to the NAS, which is usually co-located with the BNG, after the connection request is granted. In many cases, the NAT function is also on the BNG, and therefore the port forwarding information can be configured on the RADIUS server as part of the user profile. This memo proposes two new RADIUS attributes to carry Internal Port number and Configured External Port number, both are associated with a specific NAT device and a specific user, with an IPv4 address or IPv6 address as the pinhole internal address, respectively, and are configured on a RADIUS server such that when the user requests an Internet connection, the port mapping information can be conveyed to the NAS that co-locates with the NAT device via RADIUS protocol, and is used during the NAT operation for IP flows to and from that user. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Operation Port mapping information for NAT for a user (e.g., a CPE or host) is configured on a RADIUS server, along with other user information such as credentials. The port mapping information that is to be used during the NAT procedure is going to be populated from the RADIUS server to the NAT device using RADIUS protocol. In Figure-1, a Network Access Server (NAS), co-located with a NAT device on a BNG, operates as a RADIUS client. The NAT device that resides on the BNG performs a single NAT (or firewall) function such as NAT44, NAT64, etc. When the user sends a service request, the NAS on the BNG sends a RADIUS Access-Request message to the RADIUS server, requesting Cheng Expires August 28 2011 [Page 3] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 authentication. Once the RADIUS server receives the request, it validates the sending client and if the request is approved, the RADIUS server replies with an Access-Accept message including a list of attribute-value pairs that describe the parameters to be used for this connection, including the port forwarding mapping specifically configured for the user. When the RADIUS Access-Accept message arrived at the BNG, the port mapping information is used to create a pinhole on the NAT, along with the associated pinhole internal IP address, and also the external IP address, when it becomes available, for the specific user. A service granted message is then sent to the user, and after that point, IP packets from application initiated from network side (e.g., web cam) can be "port forwarded" by the NAT on the BNG to the user that is behind the NAT. IP packets belonging to the same flow but on opposite direction also traverse the same pinhole. User NAT/NAS AAA | BNG Server | | | |----Service Request------>| | | | | | |---------Access-Request------->| | | | | |.-------Access-Accept---------| | | (Nat-IPv4-Port-Forwarding-Map)| | | (Nat-IPv6-Port-Forwarding-Map)| |<---Service Granted ------| | | (other parameters) | | | | | | (Create a port mapping | | for the user, and | | associate it with the | | internal IP address | | and external IP address) | | | | | | | | |------Accounting-Request------>| | | (Nat-IPv4-Port-Forwarding-Map)| | | (Nat-IPv6-Port-Forwarding-Map)| DHCP/PPP RADIUS Figure 1: RADIUS Message Flow Cheng Expires August 28 2011 [Page 4] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 When an IP packet travels from behind the NAT outwards (outbound), the NAT must change the source port number, i.e., the internal port to the configured external port, and when an IP packet travels from outside to the inside of the NAT (inbound), the NAT must change the target port number, i.e., the configured external port to the internal port. Note that the service request that is initiated by a user can be associated with a PPP session or relevant DHCPv4/DHCPv6 message, with the same communication sequence between the RADIUS server and the NAS, and the installation of the port mapping on the NAT. Also, there may be different mechanisms as how an internal IP address and an external IP address (in the context of the NAT) assigned or determined, respectively, on the NAT for a specific user, but the forwarding port mapping information will remain the same as configured on the RADIUS server and is bonded to the specific user with one of its specific IP address. A port mapping, once created on the NAT, will remain permanently in the duration of the user's Internet connection. When the connection is torn down, the mapping on the NAT must then be removed accordingly. In the NAT444 scenario, in order to allow an IPv4 packet generated from outside of the BNG reaching the user, a forwarding port mapping is required on the NAT residing on the BNG as described above, but a separate forwarding port mapping is required on the user, typically a CPE, and in addition, the two sets of mapping need to be coordinated, so that an inbound IP packet, i.e., from outside of the BNG destined to the user, will successfully traverse two NATs before arriving at the user. The required mechanism for the NAT444 case is out of the scope of this document. 4. RADIUS Attributes Two new RADIUS attributes are defined in this document, for IPv4 address and IPv6 address as the NAT pinhole internal address, respectively. NAT-IPv4-Forwarding-Port-Map Attribute (Figure-2) NAT-IPv6-Forwarding-Port-Map Attribute (Figure-3) Description Both of the two attributes contain a 16-bit Internal Port that identifies the source TCP/UDP port number of an IP packet sent by the user, or the destination port number of an IP packet destined Cheng Expires August 28 2011 [Page 5] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 to the user, and in both cases, the IP packet travels behind the NAT device. Also they contain a 16-bit Configured External Port that identifies the source TCP/UDP port number of an IP packet sent by the user, or the destination port number of an IP packet destined to the user, and in both cases, the IP packet travels outside of the NAT device. In addition, the two attributes contain a 32-bit IPv4 address or 128-bit IPv6 address, respectively, as their respective NAT pinhole's internal IP address. Together, the port pair and IP address determine the port mapping rule for a specific IP flow that traverses a NAT device. The attribute MAY appear in an Access-Accept packet, and may also appear in an Accounting-Request packet. In either case, the attribute MUST NOT appear more than once in a single packet. Neither of these attributes MUST NOT appear in any other RADIUS packets. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Internal Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Configured External Port | Pinhole Internal IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Figure-2 Nat-IPv4-Forwarding-Port-Map Attribute Format These fields are described below: Type Type for NAT-IPv4-Forwarding-Port-Map (value is TBD) Length 8 octets Internal Port Internal port for the pinhole Configured External Port External port for the pinhole Cheng Expires August 28 2011 [Page 6] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 Pinhole IPv4 Address The internal IPv4 address at the pinhole 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Internal Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Configured External Port | Pinhole Internal IPv6 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv6 Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | IPv6 Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | IPv6 Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | IPv6 Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Figure-3 Nat-IPv6-Forwarding-Port-Map Attribute Format These fields are described below: Type Type for NAT-IPv6-Forwarding-Port-Map (value is TBD) Length 20 octets Internal Port Internal port for the pinhole Configured External Port External port for the pinhole Pinhole IPv6 Address The internal IPv6 address at the pinhole 5. Table of Attributes The following table provides a guide as the attributes may be found in which kinds of packets, and in what quantity. Cheng Expires August 28 2011 [Page 7] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 Request Accept Reject Challenge Accounting # Attribute 0-1 0-1 0 0 0-1 TBD NAT-IPv4-Forwarding-Port-Map 0-1 0-1 0 0 0-1 TBD NAT-IPv6-Forwarding-Port-Map The meaning of the above table entries is as follows: 0 This attribute MUST NOT be present. 0-1 Zero or one instance of this attribute MAY be present. 6. Security Security problems of the RADIUS protocol are discussed in [RFC2865]. 7. IANA Considerations This document requires the assignment of new RADIUS attribute numbers for the following attributes: NAT-IPv4-Forwarding-Port-Map NAT-IPv6-Forwarding-Port-Map 8. Acknowledgements Thanks to Dan Wing who provided some useful comments. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC2865, June 2000. 9.2. Informative References [I-D.draft-ietf-pcp-base] Wing, D., "Port Control Protocol (PCP), draft-ietf-pcp-base-05, work in progress. Cheng Expires August 28 2011 [Page 8] Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011 10. Authors' Addresses Dean Cheng Huawei Technologies 2330 Central Expressway, CA 95050, USA Phone:+1 408 330 4754 Email: dean.cheng@huawei.com Cheng Expires August 28 2011 [Page 9]