behave WG W. Meng Internet-Draft ZTE Corporation Intended status: Standards Track July 12, 2013 Expires: January 13, 2014 Network Address Port Group Translator draft-meng-behave-napgt-00 Abstract Currently, if an internal server and hosts are behind NAT, they cannot share a global IP address except adding lots of static NAPT rule configuration. Because if a server wants to provide a service by constant port(i.e. HTTP and FTP) , the destination port of packet sent by an external client should not be changed any time when it crosses NAT. This document specifies a new method to assign NAPT global address and port, aiming to solve the problem that internal servers and hosts cannot share less global IP addresses. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 13, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Meng Expires January 13, 2014 [Page 1] Internet-Draft Network Address Port Group Translator July 2013 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Convention and Terminology . . . . . . . . . . . . . . . . . 3 3. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Configuration . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Mapping Item . . . . . . . . . . . . . . . . . . . . . . . . 3 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 7. Normative References . . . . . . . . . . . . . . . . . . . . 4 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction With the depletion of IPv4 addresses, many operators have begun to deploy NAPT in their network. But NAPT has many defects. For example, a server is placed in the internal network, and an external client attempt to access the server through HTTP. Dynamic NAPT cannot be used for translation, because translation MUST keep the consistency of the internal port and external port (PORT:80 should not be changed). It is an issue causing a public IP address being fixed to a server only, but not for other users to access, resulting in a waste of resources. It seems that STATIC NAPT is a near-perfect solution to deal with this issue. But if there are a lot of services provided by a server in the internal network, many STATIC NAPT rules should be configured. It increases the complexity of configuration without a corresponding increase in functionality. Meanwhile, limited rule resources will be consumed. Present solution is changing the configuration due to user complaints. A user does not know his IP address global or local. During global IP address time, he can access the server placed in his home from external. Until one day, he cannot do that because he get local IP address only. He is not satisfied and complain to the operator. Operator has to assign global IP address for him and still assign local IP address for other users. Operator distinguishes him from others by embedding tags into the user data. Now, through the variant of traditional NAPT translation, we can achieve sharing a global IP address among a server and hosts placed in the same internal network. It is called NAPGT (Network Address Port Group Translation). Meng Expires January 13, 2014 [Page 2] Internet-Draft Network Address Port Group Translator July 2013 2. Convention and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Scenarios There can be a typical scenario if NAT is involved. In this scenario, a server and several hosts are behind NAT. NAT has only a global IP address. NAT needs to let client access to server without affecting any hosts accessing to the internet. Address Pool: {202.1.1.1 } +----------+ +-----+ +--------+ +--------+ | | | | |HTTP/FTP| | Client |----+ Internet + ----+ NAT +----+ Server + +--------+ | | | | | | | +----------+ +-----+ | +--------+ | +--------+ |--+ host + | +--------+ | +--------+ |--+ host + | +--------+ | +--------+ |--+ host + +--------+ Figure 1: Server and Hosts Behind NAT 4. Configuration The NAPGT needs to be configured in NAT. Port-ranges MUST be specified in NAT pool, such as '1-1024','7000-7100'. It means that a collection of ports MUST be binding use for server. The rest of ports can be assigned to hosts. Static rules MUST be configured for server. Rules for hosts has no special requirement. 5. Mapping Item Meng Expires January 13, 2014 [Page 3] Internet-Draft Network Address Port Group Translator July 2013 To achieve client accessing server behind NAT by HTTP or FTP, mapping item MUST be generated in advance. NAT(config)#show nat translations all =============================================================================== Protocol Type Local Add:Port global Add:Port Destination Add:Port =============================================================================== --- NAPGT 192.168.0.1:<1-1024> 202.1.1.1:<1-1024> 211.1.1.1:* ------------------------------------------------------------------------------- UDP STATIC 192.168.0.2:1024 202.1.1.1:1025 222.1.1.1 ------------------------------------------------------------------------------- TCP DYNAMIC 192.168.0.3:2565 202.1.1.1:1030 --- ------------------------------------------------------------------------------- Figure 2: Mapping Item in NAT(Example) 6. Security Considerations To be added later on as-needed basis. 7. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Author's Address Wei Meng ZTE Corporation No.50 Software Avenue, Yuhuatai District Nanjing China Email: meng.wei2@zte.com.cn, vally.meng@gmail.com Meng Expires January 13, 2014 [Page 4]