NAT64 Deployment Options and Experience
RFC 7269
Document | Type | RFC - Informational (June 2014) | |
---|---|---|---|
Authors | Gang Chen , Zhen Cao , Chongfeng Xie , David Binet | ||
Last updated | 2015-10-14 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Joel Jaeggli | |
Send notices to | (None) |
RFC 7269
ACE Working Group C. Sengul Internet-Draft A. Kirby Intended status: Standards Track Nominet Expires: April 15, 2018 P. Fremantle University of Portsmouth October 12, 2017 MQTT-TLS profile of ACE draft-sengul-ace-mqtt-tls-profile-01 Abstract This document specifies a profile for the ACE (Authentication and Authorization for Constrained Environments) to enable authorization in an MQTT-based publish-subscribe messaging system. Proof-of- possession keys, bound to OAuth2.0 access tokens, are used to authenticate and authorize publishing and subscribing clients. The protocol relies on TLS for confidentiality and server authentication. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 15, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Sengul, et al. Expires April 15, 2018 [Page 1] Internet-Draft MQTT-TLS profile of ACE October 2017 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.2. ACE-Related Terminology . . . . . . . . . . . . . . . . . 4 1.3. MQTT-Related Terminology . . . . . . . . . . . . . . . . 4 2. Basic Protocol Interactions . . . . . . . . . . . . . . . . . 5 2.1. Authorizing Connection Establishment . . . . . . . . . . 6 2.1.1. Client Authorization Server (CAS) and Authorization Server (AS) Interaction . . . . . . . . . . . . . . . 7 2.1.2. Client connection request to the broker . . . . . . . 8 2.1.3. Token validation . . . . . . . . . . . . . . . . . . 10 2.1.4. The broker's response to client connection request . 11 2.2. Authorizing PUBLISH messages . . . . . . . . . . . . . . 11 2.2.1. PUBLISH messages from the publisher client to the broker . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.2. PUBLISH messages from the broker to the subscriber clients . . . . . . . . . . . . . . . . . . . . . . . 12 2.3. Authorizing SUBSCRIBE messages . . . . . . . . . . . . . 12 2.4. Token expiration . . . . . . . . . . . . . . . . . . . . 13 2.5. Handling disconnections and retained messages . . . . . . 13 3. Improved Protocol Interactions with MQTT v5 . . . . . . . . . 14 3.1. Token Transport via Authentication Exchange (AUTH) . . . 14 3.2. Authorization Errors and Client Re-authentication . . . . 16 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 7.1. Normative References . . . . . . . . . . . . . . . . . . 17 7.2. Informative References . . . . . . . . . . . . . . . . . 17 Appendix A. Checklist for profile requirements . . . . . . . . . 18 Appendix B. The authorization information endpoint . . . . . . . 19 Appendix C. Document Updates . . . . . . . . . . . . . . . . . . 19 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction This document specifies a profile for the ACE framework [I-D.ietf-ace-oauth-authz]. In this profile, clients and a resource server use MQTT to communicate. The protocol relies on TLS for communication security between entities. The basic protocol interactions follow MQTT v3.1 - OASIS Standard [MQTT-OASIS-Standard]. This document also describes improvements to the basic protocol quot;, March 2013. [MAP-DEPLOY] Qiong, Q., Chen, M., Chen, G., Tsou, T., and S. Perreault, "Mapping of Address and Port (MAP) - Deployment Considerations", Work in Progress, April 2014. [MAP-T] Li, X., Bao, C., Dec, W., Troan, O., Matsushima, S., and T. Murakami, "Mapping of Address and Port using Translation (MAP-T)", Work in Progress, February 2014. [MOTIVATION] Boucadair, M., Matsushima, S., Lee, Y., Bonness, O., Borges, I., and G. Chen, "Motivations for Carrier-side Stateless IPv4 over IPv6 Migration Solutions", Work in Progress, November 2012. [NAT64-RADIUS] Chen, G. and D. Binet, "Radius Attributes for Stateful NAT64", Work in Progress, July 2013. [PORT-ALLOC] Chen, G., Tsou, T., Donley, C., and T. Taylor, "Analysis of NAT64 Port Allocation Methods for Shared IPv4 Addresses", Work in Progress, April 2014. [RFC6036] Carpenter, B. and S. Jiang, "Emerging Service Provider Scenarios for IPv6 Deployment", RFC 6036, October 2010. [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- Protocol Port Randomization", BCP 156, RFC 6056, January 2011. [RFC6092] Woodyatt, J., "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service", RFC 6092, January 2011. [RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for IPv4/IPv6 Translation", RFC 6144, April 2011. [RFC6346] Bush, R., "The Address plus Port (A+P) Approach to the IPv4 Address Shortage", RFC 6346, August 2011. Chen, et al. Informational [Page 19] RFC 7269 NAT64 Experience June 2014 [RFC6459] Korhonen, J., Soininen, J., Patil, B., Savolainen, T., Bajko, G., and K. Iisakkila, "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)", RFC 6459, January 2012. [RFC6586] Arkko, J. and A. Keranen, "Experiences from an IPv6-Only Network", RFC 6586, April 2012. [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: Combination of Stateful and Stateless Translation", RFC 6877, April 2013. [RFC6883] Carpenter, B. and S. Jiang, "IPv6 Guidance for Internet Content Providers and Application Service Providers", RFC 6883, March 2013. [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, "Analysis of Potential Solutions for Revealing a Host Identifier (HOST_ID) in Shared Address Deployments", RFC 6967, June 2013. [SIIT] Anderson, T., "Stateless IP/ICMP Translation in IPv6 Data Centre Environments", Work in Progress, November 2012. [ULA-USAGE] Liu, B. and S. Jiang, "Recommendations of Using Unique Local Addresses", Work in Progress, February 2014. Chen, et al. Informational [Page 20] RFC 7269 NAT64 Experience June 2014 Appendix A. Test Results for Application Behavior We tested several application behaviors in a lab environment to evaluate the impact when a primary NAT64 is out of service. In this testing, participants were asked to connect an IPv6-only WiFi network using laptops, tablets, or mobile phones. NAT64 was deployed as the gateway to provide Internet service. The tested applications are shown in the table below. Cold Standby, Warm Standby, and Hot Standby were each tested. The participants may have experienced service interruption due to the NAT64 handover. Different interruption intervals were tested to gauge application behaviors. The results are shown below. Table 2: The Acceptable Delay of Applications +----------------+------------------------+-------------------------+ | Application | Acceptable Interrupt | Session Continuity | | | Recovery | | +----------------+------------------------+-------------------------+ | Web browsing | Maximum of 6 s | No | +----------------+------------------------+-------------------------+ | HTTP streaming | Maximum of 10 s (cache)| Yes | +----------------+------------------------+-------------------------+ | Games | 200-400 ms | Yes | +----------------+------------------------+-------------------------+ |P2P file sharing| 10-16 s | Yes | |and streaming | | | +----------------+------------------------+-------------------------+ | Instant Message| 1 minute | Yes | +----------------+------------------------+-------------------------+ | Email | 30 s | No | +----------------+------------------------+-------------------------+ | Downloading | 1 minute | No | +----------------+------------------------+-------------------------+ Chen, et al. Informational [Page 21] RFC 7269 NAT64 Experience June 2014 Authors' Addresses Gang Chen China Mobile Xuanwumenxi Ave. No. 32 Xuanwu District Beijing 100053 P.R. China EMail: chengang@chinamobile.com, phdgang@gmail.com Zhen Cao China Mobile Xuanwumenxi Ave. No. 32 Xuanwu District Beijing 100053 P.R. China EMail: caozhen@chinamobile.com, zehn.cao@gmail.com Chongfeng Xie China Telecom Room 708, No. 118, Xizhimennei Street Beijing 100035 P.R. China EMail: xiechf@ctbri.com.cn David Binet France Telecom-Orange Rennes 35000 France EMail: david.binet@orange.com Chen, et al. Informational [Page 22]