Internet DRAFT - draft-patil-pcp-multihoming
draft-patil-pcp-multihoming
PCP Working Group P. Patil
Internet-Draft T. Reddy
Intended status: Standards Track R. Penno
Expires: April 14, 2013 D. Wing
Cisco
October 11, 2012
Using PCP to control NAT and Firewalls in Multihoming
draft-patil-pcp-multihoming-00
Abstract
This note describes how Port Control Protocol (PCP) can be used to
control NATs and Firewalls in multihoming deployments.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 14, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Patil, et al. Expires April 14, 2013 [Page 1]
Internet-Draft PCP in Multihoming October 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 3
3. IPv6 Multihoming . . . . . . . . . . . . . . . . . . . . . . . 4
4. IPv4 Multihoming . . . . . . . . . . . . . . . . . . . . . . . 4
5. Other Multihoming use cases . . . . . . . . . . . . . . . . . . 5
5.1. IPv6 Network-Managed Firewall . . . . . . . . . . . . . . . 6
5.2. IPv4 Policy based Routing . . . . . . . . . . . . . . . . . 7
6. Multiple interfaces and Servers . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
Patil, et al. Expires April 14, 2013 [Page 2]
Internet-Draft PCP in Multihoming October 2012
1. Introduction
A host can use the Port Control Protocol (PCP) to flexibly manage the
IP address and port mapping information on Network Address
Translators (NATs) or firewalls, to facilitate communications with
remote hosts. In a multihomed network, there may be multiple PCP
servers providing Firewall or prefix translation functions to hosts
in the network.
This document covers PCP related considerations in IPv4 and IPv6
multihomed networks.
2. Problem Statement
The main problem of a PCP multihoming situation can be succintly
described as 'one client, multiple servers'. PCP-base
[I-D.ietf-pcp-base] does not address how a PCP Client should behave
in a situation when it discovers multiple PCP Servers and therefore
many questions are open to standardization. For example, if multiple
PCP Servers are discovered through the same interface, should the
client send PCP requests be sent to all of them? Are there
significant differences between a multihoming and high-availability
scenarios? If yes, how can a PCP Client determine one versus the
other. These are just a few questions related to the problem.
In this document we make the following simplifying assumption:
o Whenever a PCP Client discovers multiple PCP Servers, it will send
requests to all of them in parallel as described in
[I-D.boucadair-pcp-server-selection].
o There is no requirement that multiple PCP Servers have the same
capabilities.
o PCP Requests to different servers are independent, meaning that
the result of a PCP request to one server does not influence
another.
o If PCP Servers provides NAT, it is out of scope how the client
manages ports across PCP Servers. For example, whether PCP Client
requires all external ports to be the same or whether there are
ports available at all.
In all scenarios below PCP client has a single interface unless
explicitly noted otherwise.
Patil, et al. Expires April 14, 2013 [Page 3]
Internet-Draft PCP in Multihoming October 2012
3. IPv6 Multihoming
In an IPv6 multihomed network, two or more routers co-located with
firewalls are present on a single link shared with the host(s). Each
router is in turn connected to a different service provider network
and the host in this environment would be offered multiple prefixes
and advertised multiple DNS/NTP servers. Consider a scenario in
which firewalls within an IPv6 multihoming environment also implement
a PCP Server. PCP client learns of the available PCP servers by
using DHCP [I-D.ietf-pcp-dhcp] or any other PCP server discovery
technique defined in future specifications. The PCP client will send
PCP requests in parallel to each of the PCP Servers as described in
[I-D.boucadair-pcp-server-selection].
==================
| Internet |
==================
| |
| |
+----+-+ +-+----+
| ISP1 | | ISP2 |
+----+-+ +-+----+ ISP Network
| |
.........................................................
| |
| | Subscriber Network
+-------+---+ +----+------+
| rtr1 with | | rtr2 with |
| FW1 | | FW2 |
+-------+---+ +----+------+
| |
| |
| |
-----+-+-----+------
|
+-+-----+
| Hosts |
+-------+
Figure 1: IPv6 Multihoming
4. IPv4 Multihoming
In an IPv4 multihomed network, the gateway router is connected to
different service provider networks. The host is connected to the
gateway router and is given a private IPv4 address oblivious to the
fact that there are multiple service providers. The Gateway router
Patil, et al. Expires April 14, 2013 [Page 4]
Internet-Draft PCP in Multihoming October 2012
will be configured with multiple PCP proxy servers, each
corresponding to an upstream PCP server. Each PCP Server is
announced independently since it is within a different ISP. PCP
client can learn these multiple PCP proxy addresses using DHCP or any
other PCP server discovery technique. The PCP client, by sending PCP
requests in parallel to both the PCP proxies, will learn the external
IP addresses and ports allocated by each of the upstream PCP servers.
The Gateway router which implements a PCP Proxy [I-D.bpw-pcp-proxy] ,
creates local NAT state, modifies the PCP request and forwards it to
the PCP server. The incoming PCP response will be updated by the PCP
Proxy and forwarded to the PCP client.
====================
| Internet |
=====================
| |
| |
+----+--------+ +-+------------+
| ISP1 | | ISP2 |
| PCP ServerA | | PCP ServerB |
+----+--------+ +-+------------+ ISP Network
| |
| |
..............................................................
| |
| Port1 | Port2 Subscriber Network
| |
+----+-----------------+
| NAPT & PCP Proxy |
| GW Router |
+----+-----------------+
|
|
|
-----+-+-----+------
|
+-+-----+
| Hosts | (private address space)
+-------+
Figure 2: IPv4 Multihomed environment with Gateway Router performing
NAPT
5. Other Multihoming use cases
Patil, et al. Expires April 14, 2013 [Page 5]
Internet-Draft PCP in Multihoming October 2012
5.1. IPv6 Network-Managed Firewall
A network-managed Firewall uses the same techniques as the premises-
based firewall, but the firewall service is delivered using a
security appliance positioned in the ISP. The requesting router in
customer premises may obtain the PCP server addresses from the ISP
delegating router, and then pass that configuration information on to
the PCP clients through a DHCP server in the requesting router in the
customer premises. The PCP client can also learn PCP servers using
other PCP server discovery techniques. Each PCP Server is announced
independently since it is within a different ISP.
====================
| Internet |
=====================
| |
| |
+----+------+ +-+---------+
| | | |
| ISP1 with | | ISP2 with |
| FW1 | | FW2 |
+----+------+ +-+---------+ ISP Network
| |
............................................................
| |
| Port1 | Port2 Subscriber Network
| |
+----+-----------------+
| Gateway |
| Router |
+----+-----------------+
|
|
|
-----+-+-----+------
|
+-+-----+
| Hosts |
+-------+
Figure 3: Network-Managed Firewall
When the PCP client sends a PCP request to the PCP server deployed in
the ISP and the source address of the PCP request is not the one that
is delegated by the upstream ISP, then that PCP request will be
dropped at the ISP by its ingress filter rule. Ingress filtering is
becoming more popular among ISPs to mitigate the damage of denial-of-
service (DoS) attacks as explained in section 2.1.2 of [RFC5220]. In
IPv6 multihoming the PCP client will eventually learn that the PCP
Patil, et al. Expires April 14, 2013 [Page 6]
Internet-Draft PCP in Multihoming October 2012
server responds to only PCP requests with specific source address
after few attempts and hence can discard sending PCP requests with
wrong source address to the PCP server provided by the ISP.
5.2. IPv4 Policy based Routing
Policy based Routing (PBR) with multi-homing is typically used in
enterprises to route packets from the same source IP address to
different ISP based on configuration policies and match conditions
based on source IP address, destination IP address, destination port,
DSCP value(s), L4 and L7 protocols (e.g., SIP, RTP, RTSP) etc. For
e.g. a site with Dual WAN connections Gold-ISP, Bronze-ISP and uses
Gold-ISP for certain traffic only (e.g. Media). In such a
environment NAT has different NAT pools and would rely on pre-
configured PBR policy to determine which NAT address pool to use when
an IP packet comes from an internal host. PCP allows a host to
interact with a PCP-controlled NAT device and request an external IP
and port. Therefore a PCP Server that controls the NAT device with
PBR and receives a PCP request from a PCP client needs to know from
which NAT pool to allocate an external IP address and port.
The PCP PEER request would contain the destination IP address,
destination port and transport protocol of the remote peer that the
PCP client will be trying to communicate with. The PCP MAP request
with FILTER option would also contain the destination IP address,
transport port but the destination port could be all ports. The NAT
device based on the information present in the PCP request can
possibly select the NAT pool, create mapping and return the external
IP address and port in PCP response.
There is also a possibility that PBR is determined based on other
information like L7 protocol, DSCP value(s) that is not conveyed by
default in the PCP PEER or MAP with FILTER option. Further In case
of PCP MAP request with just the 3-tuple information (internal port,
protocol and source IP address), the NAT device does not know which
NAT pool to use. Hence if the information conveyed in PCP request is
not sufficient to execute the policy then the PCP server will return
a new error code (PROVIDE_MORE_DATA) in the PCP response to the PCP
client asking it to provide additional information in subsequent PCP
requests. The PCP client can then convey more information like
DESCRIPTION, DSCP_POLICY using the PCP extensions defined in
[I-D.boucadair-pcp-extensions].
6. Multiple interfaces and Servers
One interesting case for PCP multi-homing is when a end host such as
a mobile terminal has multiple interfaces concurrently active, for
Patil, et al. Expires April 14, 2013 [Page 7]
Internet-Draft PCP in Multihoming October 2012
example, Wi-Fi and 3G. In this case PCP client would discover
different PCP Servers over different interfaces. Although multiple
interfaces are available, an application might choose to use just one
based on, for example, bandwidth requirements, and therefore would
need to send PCP requests to just one PCP Server.
This scenario requires further discussion. TBD
7. Security Considerations
Security considerations in [I-D.ietf-pcp-base] apply to this use.
8. IANA Considerations
The following PCP result code is to be allocated : PROVIDE_MORE_DATA
9. References
9.1. Normative References
[I-D.boucadair-pcp-extensions]
Boucadair, M., Penno, R., and D. Wing, "Some Extensions to
Port Control Protocol (PCP)",
draft-boucadair-pcp-extensions-03 (work in progress),
April 2012.
[I-D.boucadair-pcp-server-selection]
Boucadair, M., Penno, R., and D. Wing, "PCP Server
Selection", draft-boucadair-pcp-server-selection-00 (work
in progress), September 2012.
[I-D.bpw-pcp-proxy]
Boucadair, M., Penno, R., Wing, D., and F. Dupont, "Port
Control Protocol (PCP) Proxy Function",
draft-bpw-pcp-proxy-02 (work in progress), September 2011.
[I-D.ietf-pcp-base]
Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)",
draft-ietf-pcp-base-28 (work in progress), October 2012.
[I-D.ietf-pcp-dhcp]
Boucadair, M., Penno, R., and D. Wing, "DHCP Options for
the Port Control Protocol (PCP)", draft-ietf-pcp-dhcp-05
(work in progress), September 2012.
Patil, et al. Expires April 14, 2013 [Page 8]
Internet-Draft PCP in Multihoming October 2012
9.2. Informative References
[RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
"Problem Statement for Default Address Selection in Multi-
Prefix Environments: Operational Issues of RFC 3484
Default Rules", RFC 5220, July 2008.
Authors' Addresses
Prashanth Patil
Cisco Systems, Inc.
Cessna Business Park, Varthur Hobli
Sarjapur Marthalli Outer Ring Road
Bangalore, Karnataka 560103
India
Email: praspati@cisco.com
Tirumaleswar Reddy
Cisco Systems, Inc.
Cessna Business Park, Varthur Hobli
Sarjapur Marathalli Outer Ring Road
Bangalore, Karnataka 560103
India
Email: tireddy@cisco.com
Reinaldo Penno
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
Email: repenno@cisco.com
Dan Wing
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
Email: dwing@cisco.com
Patil, et al. Expires April 14, 2013 [Page 9]