IETF Behave Working Group C. Perkins
Internet-Draft WiChorus Inc.
Expires: April 22, 2010 October 19, 2009
Payload-assisted Delivery for SIPNAT
draft-perkins-behave-dpinat-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 22, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Perkins Expires April 22, 2010 [Page 1]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
Abstract
SIPNAT has been proposed as an effective method for enabling global
Internet access to IPv6-only domains. New methods have been devised
for accurate delivery of packets from the global Internet into the
internal domain of destinations that do not share a common address
space with the majority of the global Internet. These improvements
can be used to augment Source-IP NAT so that perfect accuracy can be
achieved in many common cases of interest.
Perkins Expires April 22, 2010 [Page 2]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
1. Introduction
Enabling the transition from IPv4 to IPv6 will depend to a large
extent upon how well businesses and online organizations can depend
on IPv6 to carry on their daily operations. One way to justify such
dependence on IPv6 is to assure businesses that their online services
will be accessible from the entire existing IPv54 Internet.
With traditional port-mapped NAT (NAPT), this has not been possible
because, for each source-destination flow, the translation parameters
for the flow have had to be established by the internal network node
(i.e., the node with the IP address that is incompatible with the
addressing domain of the global Internet). In particular, for each
such flow there needs to be an external IP address and an external
port assigned. Packets arriving at the external IP address and port
are then translated and retransmitted with new IP headers containing
the translated IP address and port number. This works for
IPv6-->IPv4 translation, IPv4-->IPv4 translation (e.g., today's
Internet), and other variations as well. It is a workable solution
(with various second-order difficulties) for enabling outgoing
traffic to be delivered into the global Internet.
But any business requires global presence and continuous, on-demand
availability. The customers have to be able to initiate contact with
the business services, not the other way around. Similary for all
other online service organizations (including governmental, non-
profit, and family websites).
One idea for enabling such incoming translations has been proposed,
called "source-IP NAT" (SIPNAT). This proposal relies on DNS to
establish the required parameters for the flow translation. It has
the advantage of dynamic allocation and deallocation of global IPv4
addresses for the potentially huge population of internal (say, IPv6)
network nodes. This is essential for scalability. The more global
IPv4 addresses, the better SIPNAT works. With as few as 128 IPv4
addresses, SIPNAT can offer reliability in excess of 99.99%,
depending on the arrival rate for new flows, the cohesiveness of each
flow, and other details about the statistics of the incoming traffic.
There are other protocol-specific mechanisms that can be used to
assist with the translation of incoming traffic. For almost all HTTP
traffic, the translation can be perfect. For SIP and peer-to-peer
traffic, other mechanisms can often be employed. For some traffic,
there may not be any additional mechanisms that are conveniently
realizable, or even available at all. For example, "ping" and
"telnet" do not make available the information needed for the
protocol mechanisms in this document.
Perkins Expires April 22, 2010 [Page 3]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
2. Failure cases for SIPNAT
SIPNAT relies on DNS Request messages to initialize a pending flow
translation. The pending flow translation will become established
when the first packet of the flow arrives at the external IP address
on the NAT box which has been allocated for that flow. The process
of establishment mainly involves inserting the source IP address of
that first packet as part of the parameters for the flow translation.
This also enables correct synthesis of the translated IPv6 address
that will be reported to the destination, and defines the IPv4 source
address for responses that are transmitted by the IPv6 destination to
be translated by the source-IP NAT.
The newly allocated IP address may already be supporting several (or
many) existing established flows; at any particular time, SIPNAT
requires that only one pending flow translation may await
establishment at the allocated IPv4 address. Because of this, SIPNAT
(while effective and generally robust) does have failure modes.
o The DNS Request does not identify the actual source computer.
This means the initial allocation for global Internet address on
the NAT cannot be established until a packet arrives from the
actual source. It is then possible for a flow translation to be
assigned on a global Internet address that already is hosting a
previous flow translation for the same requesting source-IP
address. In other words, it is possible for a source node, which
is already getting service from the NAT at a particular IPv4
address, to be accidentally allocated that same IPv4 address for a
different internal destination. But, according to the rules of
SIPNAT, two different IPv6 destinations for the same global
Internet source cannot be translated through the same NAT IPv4
address.
o Each IPv4 NAT interface to the global Internet can sustain only
one pending assignment. If too many new DNS resolutions arrive
nearly simultaneously, new flow allocations may temporarily become
unavailable.
o It is possible for a flow to persist even after the IPv4 address
allocated for the flow has timed out. For such flows, incoming
packets may be lost. To counter this, flow timeouts should be set
as long as possible consistent with the target error rate. This
amounts to a trade-off against the likelihood that the same
source-IP address will request a new flow before all of its
previous flows at the allocated NAT IP address have completed (and
their flow translation parameters deactivated)
The SIPNAT document describes how to reduce or eliminate these
Perkins Expires April 22, 2010 [Page 4]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
vulnerabilities by appropriate configuration and adjustments for the
timeout parameters. The first case is the most difficult case for
SIPNAT. Fortunately, according to traffic flows that have been
analyzed to date, this almost never happens for small-to-medium scale
websites that constitute the main use case for SIPNAT. This case
does happen for very large servers, but even then it is rare, and
such servers would be more efficiently handled by IVI [3].
Perkins Expires April 22, 2010 [Page 5]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
3. Using the Payload
The basic proposal in this document is to use information contained
in the payload to assist in translating the IP header from the global
Internet for better-assured delivery to the proper internal host.
This goes beyond previous suggestions for careful configuration and
management of the NAT interface.
For instance, almost all HTTP GET traffic has the host destination
host name as part of the HTTP payload:
http.host: news.google.com
http.host: my-IPv6-server.example-operator.com
For all such incoming traffic, translation can be performed with 100%
accuracy. Current experience with border routers offering DPI
features indicates that the translation can be done at wire speed.
It is expected that this one simple observation will, for all
practical purposes, eliminate any remaining ambiguities about the
delivery of HTTP traffic.
Even in the unlikely event that the "http.host" field is not present
in the HTTP GET traffic, web traffic offers other possibilities for
guiding correct traffic. For example, the pathname of the object
webpage is typically unique to the destination. In other words, it
is rarely the case that two different destinations in the same domain
would use the same pathname to identify any webpages hosted by those
destinations. If a database of associations between pathnames and
actual destinations is maintained, any such traffic containing the
pathname for a destination can be delivered correctly. Information
about rare cases where duplicate pathnames occur can also be
maintained. Even if the pathname can narrow down the selection to a
choice between a few competing websites, the other context for the
flow translation will typically be sufficient for accurate delivery.
Other protocols, such as SIP, also typically utilize URIs and URLS
that provide domain names identifying the desired destination. For
each such protocol, the DPI methods required for extracting the
destination information will be different, but the principle is the
same.
Perkins Expires April 22, 2010 [Page 6]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
4. Peer-to-Peer
After HTTP traffic, the next major source of traffic on the Internet
is Peer-to-Peer traffic. This is typically filesharing traffic,
often using the BitTorrent protocol. In order to understand the
interactions of such traffic with SIPNAT, we will use BitTorrent as
an example.
BitTorrent relies on four different kinds of protocol entities.
o Directory of trackers
o Trackers
o Servers
o Clients
A client uses some method for finding a tracker that maintains
information about servers offering a particular file of interest.
Once contact with a tracker is established, the client obtains a list
of file segments, and for each file segment, a list of servers that
offer availability for that file segment. A client can select one or
more servers for each segment of the desired file. If a transfer for
a specific file segment from one of the selected servers does not
complete, the client can pick another server for that file segment.
Eventually, all segments will be collected together for assembly into
the complete file of interest.
With this as context, it should be considered which configurations
are of most interest. For example, consider an IPv6-only server
offering segments to clients on the global Internet. In many cases,
this sort of service will work just fine, especially if the clients
attempt to resolve the server's domain name before issuing the
request for the file segment. However, the tracker often supplies
the IP address of the server instead of the server's domain name.
For such communications, the client would expect to make contact with
the server without any intermediate DNS resolution to obtain the IP
address of the server. In this case, the SIPNAT would not have the
opportunity to allocate the necessary IPv4 address for the flow
translation.
Nevertheless, it is still possible to handle such incoming traffic,
based on detailed methods for inspecting peer-to-peer traffic
payloads. This is to be specified in a companion ALG document
describing mechanisms for handling IPv4-->IPv6 translation for the
lists of servers provided by trackers. One simple solution is just
to set up IVI-style network interfaces for the servers. For dynamic
Perkins Expires April 22, 2010 [Page 7]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
allocations of IPv4 network interfaces on the NAT router, additional
payload inspection and alterations are needed.
Perkins Expires April 22, 2010 [Page 8]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
5. Other traffic
Aside from HTTP, peer-to-peer, and SIP traffic, other protocol
services should be considered on a case-by-case basis.
For instance, DNS traffic is extremely common on the Internet.
However, it is most likely not a suitable candidate for such protocol
translations as typically handled by NATs. Therefore, for the
purposes of this document, we may consider DNS traffic to be out of
scope for the translation problem.
Mobile IP signaling is not a good candidate for such protocol
translations, because a client is either a Mobile IPv4 mobile node or
a Mobile IPv6 mobile node, and there are already methods specified by
which a Mobile IPv6 mobile node can access its home agent by way of
IPv4 addresses.
It needs to be determined whether or not mail servers that have IPv6
addresses only should be accessible by way of SIPNAT. It seems more
likely, even if they should be accessible at all to the existing IPv4
global Internet, they would be either dual-stack already, or else
good candidates for assignment of a permanent (IVI-style) IPv4
address on the NAT.
FTP does not seem to offer a good way to identify the destination by
way of the payload-oriented mechanisms described earlier in this
document. Such FTP services are better handled by way of IVI-style
static address assignment. For most of the cases of interest, file
access is more likely mediated by HTTP access instead of FTP, and the
remaining cases are typically those more appropriate for static
assignment anyway.
Telnet is not used very often any more, and anyway is likely to be
handled very well by SIPNAT except for cases when the client attempts
to contact a destination by using the raw IP address. SIPNAT does
not offer a solution for that case.
IKEv2 [2] has been designed to work across NAT boundaries.
Consequently, it does not require the use of IP addresses as part of
the IKEv2 message payload. In the case of SIPNAT, the Notify
payloads NAT_DETECTION_SOURCE_IP and NAT_DETECTION_DESTINATION_IP
will correctly indicate the presence of address translation. If use
of a well-known IPv6 prefix is used to translate the IPv4 address,
there may be an opportunity to precisely identify the type of NAT as
"SIPNAT".
... think about SSH ...
Perkins Expires April 22, 2010 [Page 9]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
6. Segregation by access type
HTTP is a particularly common case that is easy for SIPNAT to handle
with the extensions described in this document. For destinations
that only offer services by way of HTTP, all traffic can be delivered
accurately based on the payload. This means that many different
allocations could be made at the same time without danger of
ambiguity. Effectively, the restriction for only one pending
allocation at a time could be removed.
Suppose, then, that there is a special class of destinations that
only offer HTTP service. Also suppose that the NAT is equipped to
detect the "http.host" field of incoming HTTP GET requests. For
every destination in this special class, each DNS Request could
return the same IPv4 address in the DNS Reply. The same sort of flow
translation would be set up for each HTTP destination assigned to the
IPv4 address, but the destination IP address parameter would be
determined by the payload, and matched against the initial allocation
as determined by the DNS entity. However, packet delivery should
still be granted only for destinations that had been allocated to the
IPv4 address by way of a preceding DNS request. This eligibility
requirement should be a matter of operator policy. For such traffic,
the flow timeout parameter could be configured to a much larger
value.
This scheme could potentially be extended to allow HTTP access to
some destinations identified by IP address (not hostname) in URLs.
In other words, the pathname is located at a raw IP address instead
of the usual domain name for the destination node. For these cases,
the payload can be delivered accurately, but no DNS Request would be
received to trigger the allocation of a pending flow translation.
Such unusual URLs can be supported under the typical configuration
choice for HTTP servers as has been described. Again, it is a matter
for operator choice whether it should be appropriate to provide that
support. Moreover, it is not clear how a source would ever get such
a URL with an IPv4 address to represent the IPv6-only destination.
Perkins Expires April 22, 2010 [Page 10]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
7. References
7.1. Normative References
[1] Perkins, C., "Translating IPv4 to IPv6 based on source IPv4
address", draft-perkins-sourceipnat-00 (work in progress),
October 2009.
7.2. Informative References
[2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306,
December 2005.
[3] Li, X., Bao, C., Chen, M., Zhang, H., and J. Wu, "The CERNET IVI
Translation Design and Deployment for the IPv4/IPv6 Coexistence
and Transition", draft-xli-behave-ivi-02 (work in progress),
June 2009.
[4] Bagnulo, M., Sullivan, A., Matthews, P., and I. Beijnum, "DNS64:
DNS extensions for Network Address Translation from IPv6 Clients
to IPv4 Servers", draft-ietf-behave-dns64-00 (work in
progress), July 2009.
Perkins Expires April 22, 2010 [Page 11]
�
Internet-Draft Payload-assisted Delivery for SIPNAT October 2009
Author's Address
Charles E. Perkins
WiChorus Inc.
3590 N. 1st Street, Suite 300
San Jose CA 95134
USA
Email: charliep@computer.org
Perkins Expires April 22, 2010 [Page 12]
�