softwire R. Maglione Internet-Draft Telecom Italia Intended status: Informational W. Dec Expires: May 6, 2013 Cisco November 2, 2012 Uses cases for MAP-T draft-maglione-softwire-map-t-scenarios-01 Abstract Softwire working group is currently discussing both encapsulation and translation based stateless IPv4/IPv6 solutions in order to be able to provide IPv4 connectivity to customers in an IPv6 only environment. The purpose of this document is to describe some use cases that would take advantage of a translation based solution, by highlighting the operational benefits that a translation based approach would allow. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 6, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Maglione & Dec Expires May 6, 2013 [Page 1] Internet-Draft MAP-T uses cases November 2012 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Application of Service Policies to the subscriber's sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Application of Access Control Lists . . . . . . . . . . . . 4 2.2. Application of policies based on Deep Packet Inspection . . 5 2.3. Application of web-redirection policies . . . . . . . . . . 6 2.4. Caching . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 7. Informative References . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Maglione & Dec Expires May 6, 2013 [Page 2] Internet-Draft MAP-T uses cases November 2012 1. Introduction Softwire working group is currently discussing both encapsulation and translation based stateless IPv4/IPv6 solutions in order to be able to provide IPv4 connectivity to the customers in an IPv6 only environment. There are scenarios where using encapsulation based or translation based approaches does not make substantial differences, however there are many other cases where using a translation approach could lead to significant operational savings for the operators. This document describes some use cases that would take advantage of a translation based solution, by highlighting the operational benefits that a translation based approach would allow. 2. Application of Service Policies to the subscriber's sessions In Broadband Networks is common practice for Service Providers to be able to apply per-subscriber policies on customer's traffic at the BNG (Broadband Network Gateway) level. Different services may require the application of different policies. Examples of policies currently used in today's deployments include: o the classification of the traffic not only based on layer 3 identifiers, but also based on layer 4 fields, like TCP and/or UDP ports; o the classification of traffic based on destination; o the application of different QoS treatment (could be rate-limit, drop, redirect,.. etc) on selected types of traffic based on layer 4-7 classification done by deep packet inspection appliances; o the redirection of selected types of traffic to a Web portal; o the caching of selected types of traffic. The reason why in the current Broadband network, it is important to be able to enforce policies at the BNG is because the BNG is the only network element, interacting with the AAA/RADIUS Server, responsible for authentication, authorization and accounting for the subscriber's sessions. In many common deployments today, the customer's policies are maintained in AAA/RADIUS Server together with the customer's profile and they are applied to the subscriber's session by using standardized RADIUS attributes during the authentication/ authorization phases. In addition in today's deployments, the appliances used to provide value added services, like Deep Packet Inspection devices, caching devices, etc., are usually either co-located or integrated with the BNG box. In order to be able to re-use the current network infrastructure and for operational reasons, it is important for the Maglione & Dec Expires May 6, 2013 [Page 3] Internet-Draft MAP-T uses cases November 2012 operators to be able to continue having a single enforcement point, at the BNG level, for all the subscriber's policies for both IPv4 and IPv6 traffic, as opposed to distributing such functionality across two or more nodes. 2.1. Application of Access Control Lists Most of the policies described in section Section 2 require the application of an access control list on the BNG in order to be able to classify the user traffic. The application of ACL's on selected subscribers it is usually driven by the AAA/RADIUS through specific RADIUS attributes. This section will explain why the application of some types of ACL's (like for example Destination based ACL and ACL able to match not only layer 3, but also layer 4 fields) can be simply achieved when using MAP-T [I-D.ietf-softwire-map-t]. A key characteristic of MAP-T is the mapping of the IPv4 address of any destination into the IPv6 destination address, by means of the IPv4 to IPv6 mapping rule. Given that in using a regular IPv6 ACL, an operator's main requirement is to be able to identify interesting traffic by means of IPv6 destination addresses, at the BNG level. MAP-T appears the natural approach to solve the problem, without recourse to any non-commonly found device features. In contrast any solution utilizing an IP tunnel based transport (MAP-E [I-D.ietf-softwire-map] or DS-Lite [RFC6333]), effectively hides the payload's IP layer information, making it difficult to identify by means of an IPv6 ACL. Another example of application for MAP-T is where Access Control Lists able to match not only layer 3, but also layer 4 fields, are required. This is a quite common scenario as ACL's matching TCP/UDP ports are widely used in Service Provider's environments in order to classify different traffic types and to apply different qos treatments. In case of an IP tunnel-based transport at the BNG level, the IPv4 traffic is encapsulated inside an IPv6 packet thus the BNG is not able to see the layer 4 fields without either de- encapsulating the packet or by inspecting the IPinIP traffic. On the other hands, using MAP-T, the layer 4 fields would be preserved as the IPv4 traffic is only translated in IPv6 by using the IPv6 MAP rules. With MAP-T the TCP/UDP traffic could be identify at the BNG level by simply using and IPv6 ACL matching the IPv6 prefix and the required TCP/UDP ports. Being able to apply ACL's at the BNG level would allow the operator to not only use regular IPv6 ACL functionality, but also use throughout the same RADIUS interface parameters/system for applying Maglione & Dec Expires May 6, 2013 [Page 4] Internet-Draft MAP-T uses cases November 2012 such ACLs. I.e. custom RADIUS interface extensions to deal with the ACL semantics of an IP tunnel based transport are not required. 2.2. Application of policies based on Deep Packet Inspection Several Service Providers today use deep packet inspection devices located at the BNG level, in order to inspect the subscriber's traffic for different purposes: profiling the user's behavior, for example in order to be able to provide customized advertisement, classifying the traffic not only based on DSPC/TOS, but also based on layer 4-7 identifiers in order to be able to offer different QoS treatments. Deep packet inspection devices available today in the market and already deployed in operator's network are not able to analyze encapsulated traffic, like IPinIP, and to correlate the inner packet's contents to the outer packet's "subscriber" context - this limitation is consistent across multiple vendors. In order to overcome this limitation when using IP tunnel based transports, without resorting to costly network upgrades, dedicated DPI devices need to be applied at a point in the network where the IP tunnel transport has been stripped and the payload is directly available for native processing. This not only changes the network architecture, but it increases the number of DPI's devices required: one for IPv6 traffic at the BNG level, the other for IPv4 traffic on a separate location. In addition the operator would need to enforce policies on two separate places in the network. Furthermore, even with these changes enacted, there remains a critical problem of correlating traffic to a given subscriber: in the DS-Lite and MAP-E solutions, the IPv4 address information in the payload is not sufficient to uniquely identify a subscriber given that an IPv4 address will not be unique. As such, further additional mechanisms and changes to the accounting infrastructure need to be introduced which when combined with all the previous aspects makes this solution operationally complex. With MAP-T operators can continue using the current architectural model with DPI devices installed at the BNG level; the only requirement would be to have the same device able to recognize specific applications on the native IPv6 transport, which DPI devices based on application signatures are capable of doing. In addition with MAP-T the BNG would remain the single enforcement point for all user's policies for all traffic. This would allow the operators to continue using a consistent architecture and set of accounting tools for their network. Maglione & Dec Expires May 6, 2013 [Page 5] Internet-Draft MAP-T uses cases November 2012 2.3. Application of web-redirection policies Redirecting the user's traffic to web portal is a common practice in Service Provider's network. It is widely used today for example in order to inform the user about new service offers, or about temporary unavailable services, or in order to allow the user to re-charge is account after his credit has expired, etc ... When web-redirection is activated for a specific subscriber all the http traffic of that customer is the redirected towards an external server. In current deployment web-redirection happens at the BNG level, where the subscriber's traffic first hits the IP network. The activation/ de-activation of redirection policy on selected subscribers may be driven by the AAA/RADIUS through specific RADIUS attributes. If MAP-T is used the redirection of both IPv6 and IPv4 traffic can be kept at the BNG with the same configuration currently used and by simply translating the Server's address in IPv6 with known mapping rules. In case of tunnel based solution the redirection of IPv6 and IPv4 cannot happen in a single place, because the redirection of IPv4 traffic must be implemented at or after the v4/v6 gateway responsible for de-encapsulating the traffic. This approach not only would require deploying two separate infrastructures located in different places in order to achieve the redirection for both IPv6 and IPv4 traffic, but also it would not allow continuing using the AAA/RADIUS Server infrastructure in order to enforce the redirect policy at the subscriber's session. 2.4. Caching With the continuing growing of video traffic, especially considering the increase of http video traffic (you tube like,) it is useful for the Service Providers to be able to cache the video stream at the Edge of the network in order to save bandwidth in upstream links. Using cache devices together with tunnel solutions would introduce similar challenges/issues as the ones described for DPI scenarios, in particular it would require applying caching functionality after the decapsulation point. Obviously this would not eliminate the benefits of the cache. Instead a MAP-T approach would allow caching the subscriber traffic at the edge of the network and gaining the bandwidth savings introduced by the caching. Crucially, any native IPv6 web-caches would be capable of processing IPv6 MAP-T traffic as fully native traffic. In addition in some deployments today, Web Cache Control Protocol (WCCP) feature is used in order to redirect subscriber's traffic to the cache devices. When a subscriber requests a page from a web server (located in the Internet, in this case), the network node where the WCCP is active, sends the request to a Cache Engine. If Maglione & Dec Expires May 6, 2013 [Page 6] Internet-Draft MAP-T uses cases November 2012 the cache engine has a copy of the requested page in storage, the engine sends the user that page. Otherwise, the engine gets the requested page and the objects on that page from the web server, stores a copy of the page and its objects (caches them), and forwards the page and objects to the user. WCCP is another example of web redirect thus, the same considerations described in section Section 2.3 and the benefits introduced by MAP-T also apply here. 3. Conclusions The use cases described in this document have highlighted a clear need for a MAP-T solution based on Service Providers' operational requirements. This document showed that a MAP-T approach is not a duplication of any other existing IPv4/IPv6 migration mechanisms based on IP tunneling, but actually has capabilities to solve Service Provider's problems. 4. Acknowledgements TBD 5. IANA Considerations This document does not require any action from IANA. 6. Security Considerations TBD 7. Informative References [I-D.ietf-softwire-map] Troan, O., Dec, W., Li, X., Bao, C., Matsushima, S., and T. Murakami, "Mapping of Address and Port with Encapsulation (MAP)", draft-ietf-softwire-map-02 (work in progress), September 2012. [I-D.ietf-softwire-map-t] Li, X., Bao, C., Dec, W., Troan, O., Matsushima, S., and T. Murakami, "Mapping of Address and Port using Translation (MAP-T)", draft-ietf-softwire-map-t-00 (work Maglione & Dec Expires May 6, 2013 [Page 7] Internet-Draft MAP-T uses cases November 2012 in progress), October 2012. [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, August 2011. Authors' Addresses Roberta Maglione Telecom Italia Via Reiss Romoli 274 Torino 10148 Italy Phone: Email: roberta.maglione@telecomitalia.it Wojciech Dec Cisco Haarlerbergweg 13-19 1101 CH Amsterdam, The Netherlands Phone: Fax: Email: wdec@cisco.com URI: Maglione & Dec Expires May 6, 2013 [Page 8]