Internet Engineering Task Force J. Schoenwaelder Internet-Draft Jacobs University Bremen Intended status: Standards Track C. Zhou Expires: January 5, 2012 Huawei Technologies July 4, 2011 Extension of the NAT-MIB to support NAT64 and CGN (and DS-Lite) draft-schoenw-behave-nat-mib-bis-00 Abstract This document discusses the extensions of the NAT-MIB needed to support newer Network Address Translator (NAT) variants such as NAT64, Carried Grade NAT (CGN), or Dual-Stack Lite (DS-Lite). Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 5, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Schoenwaelder & Zhou Expires January 5, 2012 [Page 1] Internet-Draft Extension of the NAT-MIB July 2011 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Structure of the NAT-MIB . . . . . . . . . . . . . . . . . . . 3 3. Extensions of the NAT-MIB . . . . . . . . . . . . . . . . . . . 4 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 8. Normative References . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Schoenwaelder & Zhou Expires January 5, 2012 [Page 2] Internet-Draft Extension of the NAT-MIB July 2011 1. Introduction The NAT-MIB [RFC4008] defines a standards-track model for configuring and monitoring Network Address Translators (NATs). Recently, a number of new NAT variants have been proposed such as stateful NAT64 [RFC6146], Carried Grade NAT (CGN), and Dual-Stack Lite (DS-Lite) [I-D.ietf-softwire-dual-stack-lite]. A number of new MIB modules have been proposed to support these new variants of NATs. This document provides an analysis and proposes to revise the NAT-MIB itself instead of creating additional MIB modules. 2. Structure of the NAT-MIB The NAT-MIB [RFC4008] consists of tables carrying configuration information and tables indicating the currently active bindings and NAT sessions as shown in the figure below. +----------------------+ +-----------------+ +-----| natInterfaceTable |--------| natAddrMapTable |-+ | +----------------------+ +-----------------+ |-+ +---+ +-----------------+ | | i | +-----------------+ | n | | t | +----------------------+ | e |---| natAddrBindTable |-+ | r | +----------------------+ |-+ | f | +----------------------+ | | a | +----------------------+ | c | | e | +----------------------+ | |---| natAddrPortBindTable |-+ +---+ +----------------------+ |-+ | +----------------------+ | | +----------------------+ | | | +----------------------+ +-----| natSessionTable |-+ +----------------------+ |-+ +----------------------+ | +----------------------+ The NAT-MIB enables NAT functionality on a per interface basis. As a consequence, the natInterfaceTable, is indexed by an ifIndex value. The table describing address pools, the natAddrMapTable, is indexed by an ifIndex value and a natAddrMapIndex. While it is possible to have multiple address pools configured on a NAT function of an Schoenwaelder & Zhou Expires January 5, 2012 [Page 3] Internet-Draft Extension of the NAT-MIB July 2011 interface, NAT functions on different interfaces will have separate address pools. The actual NAT bindings are reported in the natAddrBindTable (in case of pure address translation) indexed by an ifIndex value and the local private-realm network address and type or the natAddrPortBindTable (in case of address and port translation) indexed by an ifIndex value, the local private-realm network address and type and the local port number and protocol. The natSessionTable provide statistics about NAT sessions. 3. Extensions of the NAT-MIB As a consequence of the design of the NAT-MIB, the address pools configured in the natAddrMapTable are interface specific and cannot be shared between multiple interfaces. In order to support NATs where the goal is to share public IPv4 addresses or address pools of public IPv4 addresses with multiple interfaces (multiple customers), an extension of the NAT-MIB is required allowing to configure address pools that can be shared between NAT interfaces. One way of achieving this is to create a new natSharedAddrMapTable with a unique index (natSharedAddrMapIndex) that is referenced from natInterfaceTable entries. If the reference is not provided, a suitable natAddrMapTable entry is expected to be used. The NAT64 MIB proposal [I-D.jpdionne-behave-nat64-mib] suggests to extend the natAddrMapTable so that a NAT64 prefix can be configured in case the default is not used. It is not clear whether this functionality is necessary to add since the NAT-MIB already allows to configure address ranges. (And it is unclear how the new proposed objects would interact with the existing objects). Other proposed changes are clarifications of discard notifications, explainions of terminology differences, and the support of NAT sessions for ICMP. However, it is not clear whether adding the word 'icmp' to an enumeration is sufficient (nor is it clear what to do about DCCP and SCTP). The CGN MIB proposal [I-D.jpdionne-behave-cgn-mib] suggests to add objects to limit and/or throttle address and port allocations in order to address requirements detailed in [I-D.ietf-behave-lsn-requirements]. In addition, additional notifications are proposed to indicate address or port exhaustion. Finally, the authors suggest to add tables providing aggregated statistics about the usage of NAT address pools. The DS-Lite MIB proposal [I-D.fu-softwire-dslite-mib] suggests new objects to represent the relationship between the objects representing tunnels (as defined in the TUNNEL-MIB, [RFC4087]) and the NAT-MIB. However, since a tunnel is identified by its unique Schoenwaelder & Zhou Expires January 5, 2012 [Page 4] Internet-Draft Extension of the NAT-MIB July 2011 ifIndex value and since the natInterfaceTable is also indexed by an ifIndex value, it is unclear why this is needed. The proposal also suggests to add additional counters, e.g., tunnel specific counters for NAT bindings. Architecturally, it seems to be more desirable to clearly separate the NAT functionality from the tunnel functionality. In particular, the IPv4-in-IPv6 tunnel architecturally ends at the tunnel interface and hence the NAT function only receives IPv4 packets arriving via a tunnel interface. However, it seems that gateway initiated tunnels that use IPv6-Flow-Label bits as a context identifier (CID) [I-D.ietf-softwire-gateway-init-ds-lite] require further discussion. 4. Conclusions Looking at the structure of the current NAT-MIB and the proposed extensions, it seems the best way forward is to revise the NAT-MIB to add a minimal number of additional objects and any clarifications needed to cover NAT64, CGNs, and DS-Lite. This seems to be a better approach than creating several independent extensions, in particular since some extensions seem to be generally applicable. In particular, the following items need to be worked on: o Extend the NAT-MIB to support address pools shared between interface specific NAT instances. o Extend the NAT-MIB to support protocols other than UDP and TCP. o Add support to limit and/or throttle binding allocations. o Clarify existing notifications (e.g., natPacketDiscard) and add any additional notifications that may be needed for binding limits / binding throttling. In addition, it will be necessary to look at protocols like the Port Control Protocol (PCP) [I-D.ietf-pcp-base] that can create time- limited static entries. To help readers and implementers, it might be desirable to include (for example in an appendix) a description plus examples how the revised NAT-MIB can be used by NAT64 implementations, CGNs, and DS- Lite implementations. To support DS-Lite (and related technologies such as 6RD), a revision of the TUNNEL-MIB [RFC4087] may be needed as well or suitable tunnel type specific extensions. Schoenwaelder & Zhou Expires January 5, 2012 [Page 5] Internet-Draft Extension of the NAT-MIB July 2011 For configuration objects, it might be desirable to also produce a YANG data model (for use with the NETCONF protocol) that is consistent with the design of the revised NAT-MIB. 5. IANA Considerations This document has no IANA actions. 6. Security Considerations This document has no impact on the security of the Internet. 7. Acknowledgements The authors like to thank Jean-Philippe Dionne for comments on an early version of this document. 8. Normative References [I-D.fu-softwire-dslite-mib] Fu, Y., Jiang, S., Cui, Y., and J. Dong, "DS-Lite Management Information Base (MIB)", draft-fu-softwire-dslite-mib-00 (work in progress), May 2011. [I-D.ietf-behave-lsn-requirements] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common requirements for IP address sharing schemes", draft-ietf-behave-lsn-requirements-01 (work in progress), March 2011. [I-D.ietf-pcp-base] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", draft-ietf-pcp-base-12 (work in progress), May 2011. [I-D.ietf-softwire-dual-stack-lite] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- Stack Lite Broadband Deployments Following IPv4 Exhaustion", draft-ietf-softwire-dual-stack-lite-11 (work in progress), May 2011. [I-D.ietf-softwire-gateway-init-ds-lite] Brockners, F., Gundavelli, S., Speicher, S., and D. Ward, Schoenwaelder & Zhou Expires January 5, 2012 [Page 6] Internet-Draft Extension of the NAT-MIB July 2011 "Gateway Initiated Dual-Stack Lite Deployment", draft-ietf-softwire-gateway-init-ds-lite-04 (work in progress), June 2011. [I-D.jpdionne-behave-cgn-mib] Dionne, J. and M. Blanchet, "CGN Management Information Base (MIB)", draft-jpdionne-behave-cgn-mib-00 (work in progress), July 2011. [I-D.jpdionne-behave-nat64-mib] Dionne, J. and M. Blanchet, "NAT64 Management Information Base (MIB)", draft-jpdionne-behave-nat64-mib-00 (work in progress), March 2011. [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and C. Wang, "Definitions of Managed Objects for Network Address Translators (NAT)", RFC 4008, March 2005. [RFC4087] Thaler, D., "IP Tunnel MIB", RFC 4087, June 2005. [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011. Authors' Addresses Juergen Schoenwaelder Jacobs University Bremen Campus Ring 1 Bremen 28759 Germany Email: j.schoenwaelder@jacobs-university.de Cathy Zhou Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: cathyzhou@huawei.com Schoenwaelder & Zhou Expires January 5, 2012 [Page 7]