NAT64 Deployment Options and Experience
RFC 7269
| Document | Type | RFC - Informational (June 2014) | |
|---|---|---|---|
| Authors | Gang Chen , Zhen Cao , Chongfeng Xie , David Binet | ||
| Last updated | 2015-10-14 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | Joel Jaeggli | |
| Send notices to | (None) |
RFC 7269
ACE Working Group C. Sengul
Internet-Draft A. Kirby
Intended status: Standards Track Nominet
Expires: April 15, 2018 P. Fremantle
University of Portsmouth
October 12, 2017
MQTT-TLS profile of ACE
draft-sengul-ace-mqtt-tls-profile-01
Abstract
This document specifies a profile for the ACE (Authentication and
Authorization for Constrained Environments) to enable authorization
in an MQTT-based publish-subscribe messaging system. Proof-of-
possession keys, bound to OAuth2.0 access tokens, are used to
authenticate and authorize publishing and subscribing clients. The
protocol relies on TLS for confidentiality and server authentication.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 15, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Sengul, et al. Expires April 15, 2018 [Page 1]
Internet-Draft MQTT-TLS profile of ACE October 2017
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
1.2. ACE-Related Terminology . . . . . . . . . . . . . . . . . 4
1.3. MQTT-Related Terminology . . . . . . . . . . . . . . . . 4
2. Basic Protocol Interactions . . . . . . . . . . . . . . . . . 5
2.1. Authorizing Connection Establishment . . . . . . . . . . 6
2.1.1. Client Authorization Server (CAS) and Authorization
Server (AS) Interaction . . . . . . . . . . . . . . . 7
2.1.2. Client connection request to the broker . . . . . . . 8
2.1.3. Token validation . . . . . . . . . . . . . . . . . . 10
2.1.4. The broker's response to client connection request . 11
2.2. Authorizing PUBLISH messages . . . . . . . . . . . . . . 11
2.2.1. PUBLISH messages from the publisher client to the
broker . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2. PUBLISH messages from the broker to the subscriber
clients . . . . . . . . . . . . . . . . . . . . . . . 12
2.3. Authorizing SUBSCRIBE messages . . . . . . . . . . . . . 12
2.4. Token expiration . . . . . . . . . . . . . . . . . . . . 13
2.5. Handling disconnections and retained messages . . . . . . 13
3. Improved Protocol Interactions with MQTT v5 . . . . . . . . . 14
3.1. Token Transport via Authentication Exchange (AUTH) . . . 14
3.2. Authorization Errors and Client Re-authentication . . . . 16
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
5. Security Considerations . . . . . . . . . . . . . . . . . . . 16
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Normative References . . . . . . . . . . . . . . . . . . 17
7.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Checklist for profile requirements . . . . . . . . . 18
Appendix B. The authorization information endpoint . . . . . . . 19
Appendix C. Document Updates . . . . . . . . . . . . . . . . . . 19
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction
This document specifies a profile for the ACE framework
[I-D.ietf-ace-oauth-authz]. In this profile, clients and a resource
server use MQTT to communicate. The protocol relies on TLS for
communication security between entities. The basic protocol
interactions follow MQTT v3.1 - OASIS Standard [MQTT-OASIS-Standard].
This document also describes improvements to the basic protocol
quot;, March
2013.
[MAP-DEPLOY]
Qiong, Q., Chen, M., Chen, G., Tsou, T., and S. Perreault,
"Mapping of Address and Port (MAP) - Deployment
Considerations", Work in Progress, April 2014.
[MAP-T] Li, X., Bao, C., Dec, W., Troan, O., Matsushima, S., and
T. Murakami, "Mapping of Address and Port using
Translation (MAP-T)", Work in Progress, February 2014.
[MOTIVATION]
Boucadair, M., Matsushima, S., Lee, Y., Bonness, O.,
Borges, I., and G. Chen, "Motivations for Carrier-side
Stateless IPv4 over IPv6 Migration Solutions", Work in
Progress, November 2012.
[NAT64-RADIUS]
Chen, G. and D. Binet, "Radius Attributes for Stateful
NAT64", Work in Progress, July 2013.
[PORT-ALLOC]
Chen, G., Tsou, T., Donley, C., and T. Taylor, "Analysis
of NAT64 Port Allocation Methods for Shared IPv4
Addresses", Work in Progress, April 2014.
[RFC6036] Carpenter, B. and S. Jiang, "Emerging Service Provider
Scenarios for IPv6 Deployment", RFC 6036, October 2010.
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-
Protocol Port Randomization", BCP 156, RFC 6056, January
2011.
[RFC6092] Woodyatt, J., "Recommended Simple Security Capabilities in
Customer Premises Equipment (CPE) for Providing
Residential IPv6 Internet Service", RFC 6092, January
2011.
[RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
IPv4/IPv6 Translation", RFC 6144, April 2011.
[RFC6346] Bush, R., "The Address plus Port (A+P) Approach to the
IPv4 Address Shortage", RFC 6346, August 2011.
Chen, et al. Informational [Page 19]
RFC 7269 NAT64 Experience June 2014
[RFC6459] Korhonen, J., Soininen, J., Patil, B., Savolainen, T.,
Bajko, G., and K. Iisakkila, "IPv6 in 3rd Generation
Partnership Project (3GPP) Evolved Packet System (EPS)",
RFC 6459, January 2012.
[RFC6586] Arkko, J. and A. Keranen, "Experiences from an IPv6-Only
Network", RFC 6586, April 2012.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation", RFC
6877, April 2013.
[RFC6883] Carpenter, B. and S. Jiang, "IPv6 Guidance for Internet
Content Providers and Application Service Providers", RFC
6883, March 2013.
[RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno,
"Analysis of Potential Solutions for Revealing a Host
Identifier (HOST_ID) in Shared Address Deployments", RFC
6967, June 2013.
[SIIT] Anderson, T., "Stateless IP/ICMP Translation in IPv6 Data
Centre Environments", Work in Progress, November 2012.
[ULA-USAGE]
Liu, B. and S. Jiang, "Recommendations of Using Unique
Local Addresses", Work in Progress, February 2014.
Chen, et al. Informational [Page 20]
RFC 7269 NAT64 Experience June 2014
Appendix A. Test Results for Application Behavior
We tested several application behaviors in a lab environment to
evaluate the impact when a primary NAT64 is out of service. In this
testing, participants were asked to connect an IPv6-only WiFi network
using laptops, tablets, or mobile phones. NAT64 was deployed as the
gateway to provide Internet service. The tested applications are
shown in the table below. Cold Standby, Warm Standby, and Hot
Standby were each tested. The participants may have experienced
service interruption due to the NAT64 handover. Different
interruption intervals were tested to gauge application behaviors.
The results are shown below.
Table 2: The Acceptable Delay of Applications
+----------------+------------------------+-------------------------+
| Application | Acceptable Interrupt | Session Continuity |
| | Recovery | |
+----------------+------------------------+-------------------------+
| Web browsing | Maximum of 6 s | No |
+----------------+------------------------+-------------------------+
| HTTP streaming | Maximum of 10 s (cache)| Yes |
+----------------+------------------------+-------------------------+
| Games | 200-400 ms | Yes |
+----------------+------------------------+-------------------------+
|P2P file sharing| 10-16 s | Yes |
|and streaming | | |
+----------------+------------------------+-------------------------+
| Instant Message| 1 minute | Yes |
+----------------+------------------------+-------------------------+
| Email | 30 s | No |
+----------------+------------------------+-------------------------+
| Downloading | 1 minute | No |
+----------------+------------------------+-------------------------+
Chen, et al. Informational [Page 21]
RFC 7269 NAT64 Experience June 2014
Authors' Addresses
Gang Chen
China Mobile
Xuanwumenxi Ave. No. 32
Xuanwu District
Beijing 100053
P.R. China
EMail: chengang@chinamobile.com, phdgang@gmail.com
Zhen Cao
China Mobile
Xuanwumenxi Ave. No. 32
Xuanwu District
Beijing 100053
P.R. China
EMail: caozhen@chinamobile.com, zehn.cao@gmail.com
Chongfeng Xie
China Telecom
Room 708, No. 118, Xizhimennei Street
Beijing 100035
P.R. China
EMail: xiechf@ctbri.com.cn
David Binet
France Telecom-Orange
Rennes
35000
France
EMail: david.binet@orange.com
Chen, et al. Informational [Page 22]