Skip to main content

Common requirements for Carrier Grade NATs (CGNs)
draft-ietf-behave-lsn-requirements-08

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 6888.
Authors Simon Perreault , Ikuhei Yamagata , Shin Miyakawa , Akira Nakagawa , Hiroyuki Ashida
Last updated 2012-07-19 (Latest revision 2012-07-11)
Replaces draft-nishitani-cgn
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Became RFC 6888 (Best Current Practice)
Consensus boilerplate Unknown
Telechat date (None)
Needs a YES. Needs 10 more YES or NO OBJECTION positions to pass.
Responsible AD Wesley Eddy
IESG note ** No value found for 'doc.notedoc.note' **
Send notices to behave-chairs@tools.ietf.org, draft-ietf-behave-lsn-requirements@tools.ietf.org
draft-ietf-behave-lsn-requirements-08
Internet Engineering Task Force                        S. Perreault, Ed.
Internet-Draft                                                  Viagenie
Updates: 4787 (if approved)                                  I. Yamagata
Intended status: BCP                                         S. Miyakawa
Expires: January 12, 2013                             NTT Communications
                                                             A. Nakagawa
                                          Japan Internet Exchange (JPIX)
                                                               H. Ashida
                                                      IS Consulting G.K.
                                                           July 11, 2012

           Common requirements for Carrier Grade NATs (CGNs)
                 draft-ietf-behave-lsn-requirements-08

Abstract

   This document defines common requirements for Carrier-Grade NAT
   (CGN).  It updates RFC 4787.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 12, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Perreault, et al.       Expires January 12, 2013                [Page 1]
Internet-Draft              CGN Requirements                   July 2012

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Requirements for CGNs  . . . . . . . . . . . . . . . . . . . .  5
   4.  Logging  . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   5.  Bulk Port Allocation . . . . . . . . . . . . . . . . . . . . . 12
   6.  Deployment Considerations  . . . . . . . . . . . . . . . . . . 13
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 13
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 14
     10.2.  Informative Reference . . . . . . . . . . . . . . . . . . 14
   Appendix A.  Change Log (to be removed by RFC Editor prior to
                publication)  . . . . . . . . . . . . . . . . . . . . 16
     A.1.   Changed in -08  . . . . . . . . . . . . . . . . . . . . . 16
     A.2.   Changed in -07  . . . . . . . . . . . . . . . . . . . . . 16
     A.3.   Changed in -06  . . . . . . . . . . . . . . . . . . . . . 17
     A.4.   Changed in -05  . . . . . . . . . . . . . . . . . . . . . 18
     A.5.   Changed in -04  . . . . . . . . . . . . . . . . . . . . . 18
     A.6.   Changed in -03  . . . . . . . . . . . . . . . . . . . . . 18
     A.7.   Changed in -02  . . . . . . . . . . . . . . . . . . . . . 19
     A.8.   Changed in -01  . . . . . . . . . . . . . . . . . . . . . 20
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20

Perreault, et al.       Expires January 12, 2013                [Page 2]
Internet-Draft              CGN Requirements                   July 2012

1.  Introduction

   With the shortage of IPv4 addresses, it is expected that more
   Internet Service Providers (ISPs) may want to provide a service where
   a public IPv4 address would be shared by many subscribers.  Each
   subscriber is assigned a private address, and a Network Address
   Translator (NAT) [RFC2663] situated in the ISP's network translates
   between private and public addresses.  When a second IPv4 NAT is
   located at the customer edge, this results in two layers of NAT.

   This service can conceivably be offered alongside others, such as
   IPv6 services or regular IPv4 service assigning public addresses to
   subscribers.  Some ISPs started offering such a service long before
   there was a shortage of IPv4 addresses, showing that there are
   driving forces other than the shortage of IPv4 addresses.  One
   approach to CGN deployment is described in [RFC6264].

   This document describes behavior that is required of those multi-
   subscriber NATs for interoperability.  It is not an IETF endorsement
   of CGN or a real specification for CGN, but rather just a minimal set
   of requirements that will increase the likelihood of applications
   working across CGNs.

   Because subscribers do not receive unique IPv4 addresses, Carrier
   Grade NATs introduce substantial limitations in communications
   between subscribers and with the rest of the Internet.  In
   particular, it is considerably more involved to establish proxy
   functionality at the border between internal and external realms.
   Some applications may require substantial enhancements, while some
   others may not function at all in such an environment.  Please see
   "Issues with IP Address Sharing" [RFC6269] for details.

   This document builds upon previous works describing requirements for
   generic NATs [RFC4787][RFC5382][RFC5508].  These documents, and their
   updates if any, still apply in this context.  What follows are
   additional requirements, to be satisfied on top of previous ones.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Readers are expected to be familiar with "NAT Behavioral Requirements
   for Unicast UDP" [RFC4787] and the terms defined there.  The
   following additional term is used in this document:

Perreault, et al.       Expires January 12, 2013                [Page 3]
Internet-Draft              CGN Requirements                   July 2012

   Carrier-Grade NAT (CGN):  A NAT-based [RFC2663] logical function used
      to share the same IPv4 address among several subscribers.  A CGN
      is not managed by the subscribers.

         Note that the term "carrier-grade" has nothing to do with the
         quality of the NAT; that is left to discretion of implementers.
         Rather, it is to be understood as a topological qualifier: the
         NAT is placed in an ISP's network and translates the traffic of
         potentially many subscribers.  Subscribers have limited or no
         control over the CGN, whereas they typically have full control
         over a NAT placed on their premises.

         Note also that the CGN described in this document is IPv4-only.
         IPv6 address translation is not considered.

         However, the scenario in which the IPv4-only CGN logical
         function is used may include IPv6 elements.  For example, DS-
         Lite [RFC6333] uses an IPv4-only CGN logical function in a
         scenario making use of IPv6 encapsulation.  Therefore, this
         document would also apply to the CGN part of DS-Lite.

   Figure 1 summarizes a common network topology in which a CGN
   operates.

                                  .
                                  :
                                  |       Internet
                  ............... | ...................
                                  |       ISP network
                  External pool:  |
                  192.0.2.1/26    |
                              ++------++  External realm
                  ........... |  CGN   |...............
                              ++------++  Internal realm
                       10.0.0.1 |    |
                                |    |
                                |    |    ISP network
                  ............. | .. | ................
                                |    |  Customer premises
                     10.0.0.100 |    | 10.0.0.101
                        ++------++  ++------++
                        |  CPE1  |  |  CPE2  |  etc.
                        ++------++  ++------++

               (IP addresses are only for example purposes)

                      Figure 1: CGN network topology

Perreault, et al.       Expires January 12, 2013                [Page 4]
Internet-Draft              CGN Requirements                   July 2012

   Another possible topology is one for hotspots, where there is no
   customer premise or customer-premises equipment (CPE), but where a
   CGN serves a bunch of customers who don't trust each other and hence
   fairness is an issue.  One important difference with the previous
   topology is the absence of a second layer of NAT.  This, however, has
   no impact on CGN requirements since they are driven by fairness and
   robustness in the service provided to customers, which applies in
   both cases.

3.  Requirements for CGNs

   What follows is a list of requirements for CGNs.  They are in
   addition to those found in other documents such as [RFC4787],
   [RFC5382], and [RFC5508].

   REQ-1:  If a CGN forwards packets containing a given transport
           protocol, then it MUST fulfill that transport protocol's
           behavioral requirements.  Current applicable documents are as
           follows:

           A.  "NAT Behavioral Requirements for Unicast UDP" [RFC4787]

           B.  "NAT Behavioral Requirements for TCP" [RFC5382]

           C.  "NAT Behavioral Requirements for ICMP" [RFC5508]

           D.  "NAT Behavioral Requirements for DCCP" [RFC5597]

           If NAT behavioral requirements documents are created for
           additional protocols, then these new documents MUST update
           this list by adding themselves to it.

   Justification:  It is crucial for CGNs to maximize the set of
      applications that can function properly across them.  The IETF has
      documented the best current practices for UDP, TCP, ICMP, and
      DCCP.

   REQ-2:  A CGN MUST have a default "IP address pooling" behavior of
           "Paired" (as defined in [RFC4787] section 4.1).  A CGN MAY
           provide a mechanism for administrators to change this
           behavior on an application protocol basis.

           *  When multiple overlapping internal IP address ranges share
              the same external IP address pool (e.g., DS-Lite
              [RFC6333]), the "IP address pooling" behavior applies to
              mappings between external IP addresses and internal
              subscribers rather than between external and internal IP

Perreault, et al.       Expires January 12, 2013                [Page 5]
Internet-Draft              CGN Requirements                   July 2012

              addresses.

   Justification:  This stronger form of REQ-2 from [RFC4787] is
      justified by the stronger need for not breaking applications that
      depend on the external address remaining constant.

      Note that this requirement applies regardless of the transport
      protocol.  In other words, a CGN must use the same external IP
      address mapping for all sessions associated with the same internal
      IP address, be they TCP, UDP, ICMP, something else, or a mix of
      different protocols.

      The justification for allowing other behaviors is to allow the
      administrator to save external addresses and ports for application
      protocols that are known to work fine with other behaviors in
      practice.  However, the default behavior MUST be "Paired".

   REQ-3:  The CGN function SHOULD NOT have any limitations on the size
           nor the contiguity of the external address pool.  In
           particular, the CGN function MUST be configurable with
           contiguous or non-contiguous external IPv4 address ranges.

   Justification:  Given the increasing rarity of IPv4 addresses, it is
      becoming harder for an operator to provide large contiguous
      address pools to CGNs.  Additionally, operational flexibility may
      require non-contiguous address pools for reasons such as
      differentiated services, routing management, etc.

      The reason for having SHOULD instead of MUST is to account for
      limitations imposed by available resources as well as constraints
      imposed for security reasons.

   REQ-4:  A CGN MUST support limiting the number of external ports (or,
           equivalently, "identifiers" for ICMP) that are assigned per
           subscriber.

           A.  Limits MUST be configurable by the CGN administrator.

           B.  Limits MAY be configurable independently per transport
               protocol.

           C.  Additionally, it is RECOMMENDED that the CGN include
               administrator-adjustable thresholds to prevent a single
               subscriber from consuming excessive CPU resources from
               the CGN (e.g., rate limit the subscriber's creation of
               new mappings).

Perreault, et al.       Expires January 12, 2013                [Page 6]
Internet-Draft              CGN Requirements                   July 2012

   Justification:  A CGN can be considered a network resource that is
      shared by competing subscribers.  Limiting the number of external
      ports assigned to each subscriber mitigates the DoS attack that a
      subscriber could launch against other subscribers through the CGN
      in order to get a larger share of the resource.  It ensures
      fairness among subscribers.  Limiting the rate of allocation
      mitigates a similar attack where the CPU is the resource being
      targeted instead of port numbers, however this requirement is not
      a MUST because it is very hard to explicitly call out all CPU-
      consuming events.

   REQ-5:  A CGN SHOULD support limiting the amount of state memory
           allocated per mapping and per subscriber.  This may include
           limiting the number of sessions, the number of filters, etc.,
           depending on the NAT implementation.

           A.  Limits SHOULD be configurable by the CGN administrator.

           B.  Additionally, it SHOULD be possible to limit the rate at
               which memory-consuming state elements are allocated.

   Justification:  A NAT needs to keep track of TCP sessions associated
      to each mapping.  This state consumes resources for which, in the
      case of a CGN, subscribers may compete.  It is necessary to ensure
      that each subscriber has access to a fair share of the CGN's
      resources.  Limiting the rate of allocation is intended to prevent
      against CPU resource exhaustion.  Item "B" is at the SHOULD level
      to account for the fact that means other than rate limiting may be
      used to attain the same goal.

   REQ-6:  It MUST be possible to administratively turn off translation
           for specific destination addresses and/or ports.

   Justification:  It is common for a CGN administrator to provide
      access for subscribers to servers installed in the ISP's network
      in the external realm.  When such a server is able to reach the
      internal realm via normal routing (which is entirely controlled by
      the ISP), translation is unneeded.  In that case, the CGN may
      forward packets without modification, thus acting like a plain
      router.  This may represent an important efficiency gain.

      Figure 2 illustrates this use-case.

Perreault, et al.       Expires January 12, 2013                [Page 7]
Internet-Draft              CGN Requirements                   July 2012

                 X1:x1            X1':x1'            X2:x2
                 +---+from X1:x1  +---+from X1:x1    +---+
                 | C |  to X2:x2  |   |  to X2:x2    | S |
                 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
                 | i |            | G |              | r |
                 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
                 | n |from X2:x2  |   |from X2:x2    | e |
                 | t |  to X1:x1  |   |  to X1:x1    | r |
                 +---+            +---+              +---+

                        Figure 2: CGN pass-through

   REQ-7:  It is RECOMMENDED that a CGN have an "Endpoint-Independent
           Filtering" behavior (as defined in [RFC4787] section 5).  If
           it is known that "Address-Dependent Filtering" does not cause
           the application-layer protocol to break (how to determine
           this is out of scope for this document), then it MAY be used
           instead.

   Justification:  This is a stronger form of REQ-8 from [RFC4787].
      This is based on the observation that some games and peer-to-peer
      applications require EIF for the NAT traversal to work.  In the
      context of a CGN it is important to minimize application breakage.

   REQ-8:  Once an external port is deallocated, it SHOULD NOT be
           reallocated to a new mapping until at least 120 seconds have
           passed, with the exceptions being:

           A.  If the CGN tracks TCP sessions (e.g., with a state
               machine, as in [RFC6146] section 3.5.2.2), TCP ports MAY
               be reused immediately.

           B.  If external ports are statically assigned to internal
               addresses (e.g., address X with port range 1000-1999 is
               assigned to subscriber A, 2000-2999 to subscriber B,
               etc.), and the assignment remains constant across state
               loss, then ports MAY be reused immediately.

           C.  If the allocated external ports used address-dependent or
               address-and-port-dependent filtering before state loss,
               they MAY be reused immediately.

           The length of time and the maximum number of ports in this
           state MUST be configurable by the CGN administrator.

Perreault, et al.       Expires January 12, 2013                [Page 8]
Internet-Draft              CGN Requirements                   July 2012

   Justification:  This is necessary in order to prevent collisions
      between old and new mappings and sessions.  It ensures that all
      established sessions are broken instead of redirected to a
      different peer.

      The exceptions are for cases where reusing a port immediately does
      not create a possibility that packets would be redirected to the
      wrong peer.  One can imagine other exceptions where mapping
      collisions are avoided, thus justifying the SHOULD level for this
      requirement.

      The 120 seconds value corresponds to the Maximum Segment Lifetime
      (MSL) from [RFC0793].

      Note that this requirement also applies to the case when a CGN
      loses state (due to a crash, reboot, failover to a cold standby,
      etc.).  In that case, ports that were in use at the time of state
      loss SHOULD NOT be reallocated until at least 120 seconds have
      passed.

   REQ-9:  A CGN MUST include a Port Control Protocol server
           [I-D.ietf-pcp-base] with the following constraints on its
           behavior:

           A.  It MUST NOT permit the lifetime of a mapping to be
               reduced beyond its current life or be set to zero
               (deleted).

           B.  It MUST NOT permit a NAT mapping to be created with a
               lifetime less than the lifetime used for implicit
               mappings.

           C.  The MAP opcode MAY be permitted if the recommendation of
               endpoint independent filtering behavior described in
               REQ-7 is adopted; the map opcode MUST NOT be permitted in
               other circumstances.  These constraints MAY be relaxed if
               a security mechanism consistent with PCP's Advanced
               Threat Model (see Section 17.2 of [I-D.ietf-pcp-base]) is
               used; this is expected to be rare for CGN deployments.

           D.  Mappings created by PCP MUST follow the same deallocation
               behavior (REQ-8) as implicitly mapped traffic.

   Justification:  Allowing subscribers to manipulate the NAT state
      table with PCP greatly increases the likelihood that applications
      will function properly.

Perreault, et al.       Expires January 12, 2013                [Page 9]
Internet-Draft              CGN Requirements                   July 2012

      A study of PCP-less CGN impacts can be found in
      [I-D.donley-nat444-impacts].  Another study considering the
      effects of PCP on a peer-to-peer file sharing protocol can be
      found in [I-D.boucadair-pcp-bittorrent].

      Items "A" to "D" are justified as follows: Most of the concern has
      to do with one customer device interacting negatively with the
      security of another; this is of particular concern when the
      devices belong to different customers, but devices belonging to
      the same customer are in scope for the PCP security analysis as
      well.  Reducing a mapping lifetime or deleting a mapping create
      DoS opportunities and can create an opportunity for one device to
      intercept another device's traffic.  If a device spoofs creation
      of a mapping with less than the default lifetime, then that can
      create DoS or packet capture opportunities.  The behavior of REQ-8
      is critical to avoiding packet capture attacks.

   REQ-10:  CGN implementrers SHOULD make their equipment manageable.
            Standards-based management using standards such as
            "Definitions of Managed Objects for NAT" [RFC4008] is
            RECOMMENDED.

   Justification:  It is anticipated that CGNs will be primarily
      deployed in ISP networks where the need for management is
      critical.  This requirement is at the SHOULD level to account for
      the fact that some CGN operators may not need management
      functionality.

      Note also that there are efforts within the IETF toward creating a
      MIB tailored for CGNs (e.g., [I-D.ietf-behave-nat-mib]).

   REQ-11:  When a CGN is unable to create a mapping due to resource
            constraints or administrative restrictions (i.e., quotas):

            A.  it MUST drop the original packet;

            B.  it SHOULD send an ICMP Destination Unreachable message
                with code 1 (Host Unreachable) to the sender;

            C.  it SHOULD send a notification (e.g., SNMP trap) towards
                a management system (if configured to do so);

            D.  and it MUST NOT delete existing mappings in order to
                "make room" for the new one.  (This only applies to
                normal CGN behavior, not to manual operator
                intervention.)

Perreault, et al.       Expires January 12, 2013               [Page 10]
Internet-Draft              CGN Requirements                   July 2012

   Justification:  This is a slightly different form of REQ-8 from
      [RFC5508].  Code 1 is preferred to code 13 because it is listed as
      a "soft error" in [RFC1122], which is important because we don't
      want TCP stacks to abort the connection attempt in this case.  See
      [RFC5461] for details on TCP's reaction to soft errors.

      Sending ICMP errors and SNMP traps may be rate-limited for
      security reasons, which is why requirements B and C are SHOULDs,
      not a MUSTs.

      Applications generally handle connection establishment failure
      better than established connection failure.  This is why dropping
      the packet initiating the new connection is preferred over
      deleting existing mappings.  See also the rationale in [RFC5508]
      section 6.

4.  Logging

   It may be necessary for CGN administrators to be able to identify a
   subscriber based on external IPv4 address, port, and timestamp in
   order to deal with abuse.  When multiple subscribers share a single
   external address, the source address and port that are visible at the
   destination host have been translated from the ones originated by the
   subscriber.

   In order to be able to do this, the CGN would need to log the
   following information for each mapping created:

   o  subscriber identifier (e.g., internal source address or tunnel
      endpoint identifier)

   o  external source address

   o  external source port

   o  timestamp

   By "subscriber identifier" we mean information that uniquely
   identifies a subscriber.  For example, in a traditional NAT scenario,
   the internal source address would be sufficient.  In the case of DS-
   Lite, many subscribers share the same internal address and the
   subscriber identifier is the tunnel endpoint identifier (i.e., the
   B4's IPv6 address).

   A disadvantage of logging mappings is that CGNs under heavy usage may
   produce large amounts of logs, which may require large storage
   volume.

Perreault, et al.       Expires January 12, 2013               [Page 11]
Internet-Draft              CGN Requirements                   July 2012

   REQ-12:  A CGN SHOULD NOT log destination addresses or ports.

   Justification:  Destination logging at the CGN creates privacy
      issues.  Furthermore, readers should be aware of logging
      recommendations for Internet-facing servers [RFC6302].  With
      compliant servers, the destination address and port do not need to
      be logged by the CGN.  This can help reduce the amount of logging.

      This requirement is at the SHOULD level to account for the fact
      that there may be other reasons for logging destination addresses
      or ports.

5.  Bulk Port Allocation

   So far we have assumed that a CGN allocates one external port for
   every outgoing connection.  In this section, the impacts of
   allocating multiple external ports at a time are discussed.

   There is a range of things a CGN can do:

   Traditional:  For every outgoing connection, allocate one external
      port.

   Scattered port set:  For an outgoing connection, create a set of
      several non-consecutive external ports.  Subsequent outgoing
      connections will use ports from the set.  When the set is
      exhausted, a new connection causes a new set to be created.  A set
      is smaller or equal to the user's maximum port limit.

   Consecutive port set:  Same as the scattered port set, but the ports
      allocated to a set are consecutive.

   Note that this list is not exhaustive.  There is a continuum of
   behavior that a CGN may choose to implement.  For example, a CGN
   could use scattered port sets of consecutive port sets.

   The impacts of bulk port allocation are as follows.

   Port Utilization:  The mechanisms at the top of the list are very
      efficient in their port utilization.  In that sense, they have
      good scaling properties (nothing is wasted).  The mechanisms at
      the bottom of the list will waste ports.  The number of wasted
      ports is proportional to size of the "bin".

Perreault, et al.       Expires January 12, 2013               [Page 12]
Internet-Draft              CGN Requirements                   July 2012

   Logging:  Traditional allocation creates a lot of log entries as
      compared to allocation by port sets which creates much fewer
      entries.  Scattered and consecutive port sets generate the same
      number of log entries.  In the case of consecutive port sets,
      entries can be expressed very compactly by indicating a range
      (e.g., "12000-12009").  Some scattered port set allocation schemes
      can also generate small log entries containing the parameters and
      algorithm used for the port set generation (see, e.g., [RFC6431]).

      With large set sizes, the logging frequency for scattered and
      consecutive port sets can approach that of DHCP servers.

   Security:  Traditional and scattered port sets provide very good
      security in that ports numbers are not easily guessed.  Easily
      guessed port numbers put subscribers at risk of the attacks
      described in [RFC6056].  Consecutive port sets provides poor
      security to subscribers, especially if the set size is small.

6.  Deployment Considerations

   Several issues are encountered when CGNs are used [RFC6269].  There
   is current work in the IETF toward alleviating some of these issues.
   For example, see [I-D.ietf-intarea-nat-reveal-analysis].

7.  IANA Considerations

   There are no IANA considerations.

8.  Security Considerations

   If a malicious subscriber can spoof another subscriber's CPE, it may
   cause a DoS to that subscriber by creating mappings up to the allowed
   limit.  An ISP can prevent this with ingress filtering, as described
   in [RFC2827].

   This document recommends Endpoint-Independent Filtering (EIF) as the
   default filtering behavior for CGNs.  EIF has security considerations
   which are discussed in [RFC4787].

   NATs sometimes perform fragment reassembly.  CGNs would do so at
   presumably high data rates.  Therefore, the reader should be familiar
   with the potential security issues described in [RFC4963].

Perreault, et al.       Expires January 12, 2013               [Page 13]
Internet-Draft              CGN Requirements                   July 2012

9.  Acknowledgements

   Thanks for the input and review by Alexey Melnikov, Arifumi
   Matsumoto, Barry Leiba, Benson Schliesser, Dai Kuwabara, Dan Wing,
   Dave Thaler, David Harrington, Francis Dupont, Jean-Francois
   Tremblay, Joe Touch, Lars Eggert, Kousuke Shishikura, Mohamed
   Boucadair, Nejc Skoberne, Reinaldo Penno, Sam Hartman, Senthil
   Sivakumar, Takanori Mizuguchi, Takeshi Tomochika, Tina Tsou, Tomohiro
   Fujisaki, Tomohiro Nishitani, Tomoya Yoshida, Wesley Eddy, and
   Yasuhiro Shirasaki.  Dan Wing also contributed much of section 5.

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4008]  Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and
              C. Wang, "Definitions of Managed Objects for Network
              Address Translators (NAT)", RFC 4008, March 2005.

   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
              RFC 4787, January 2007.

   [RFC5382]  Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
              Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
              RFC 5382, October 2008.

   [RFC5508]  Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
              Behavioral Requirements for ICMP", BCP 148, RFC 5508,
              April 2009.

   [RFC5597]  Denis-Courmont, R., "Network Address Translation (NAT)
              Behavioral Requirements for the Datagram Congestion
              Control Protocol", BCP 150, RFC 5597, September 2009.

   [I-D.ietf-pcp-base]
              Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
              Selkirk, "Port Control Protocol (PCP)",
              draft-ietf-pcp-base-26 (work in progress), June 2012.

10.2.  Informative Reference

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, September 1981.

Perreault, et al.       Expires January 12, 2013               [Page 14]
Internet-Draft              CGN Requirements                   July 2012

   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1122, October 1989.

   [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
              Translator (NAT) Terminology and Considerations",
              RFC 2663, August 1999.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, May 2000.

   [RFC4963]  Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
              Errors at High Data Rates", RFC 4963, July 2007.

   [RFC5461]  Gont, F., "TCP's Reaction to Soft Errors", RFC 5461,
              February 2009.

   [RFC6056]  Larsen, M. and F. Gont, "Recommendations for Transport-
              Protocol Port Randomization", BCP 156, RFC 6056,
              January 2011.

   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
              NAT64: Network Address and Protocol Translation from IPv6
              Clients to IPv4 Servers", RFC 6146, April 2011.

   [RFC6264]  Jiang, S., Guo, D., and B. Carpenter, "An Incremental
              Carrier-Grade NAT (CGN) for IPv6 Transition", RFC 6264,
              June 2011.

   [RFC6269]  Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
              Roberts, "Issues with IP Address Sharing", RFC 6269,
              June 2011.

   [RFC6302]  Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
              "Logging Recommendations for Internet-Facing Servers",
              BCP 162, RFC 6302, June 2011.

   [RFC6333]  Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
              Stack Lite Broadband Deployments Following IPv4
              Exhaustion", RFC 6333, August 2011.

   [RFC6431]  Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and
              T. Tsou, "Huawei Port Range Configuration Options for PPP
              IP Control Protocol (IPCP)", RFC 6431, November 2011.

   [I-D.ietf-behave-nat-mib]
              Perreault, S., Tsou, T., and S. Sivakumar, "Additional
              Managed Objects for Network Address Translators (NAT)",

Perreault, et al.       Expires January 12, 2013               [Page 15]
Internet-Draft              CGN Requirements                   July 2012

              draft-ietf-behave-nat-mib-01 (work in progress),
              June 2012.

   [I-D.ietf-intarea-nat-reveal-analysis]
              Boucadair, M., Touch, J., Levis, P., and R. Penno,
              "Analysis of Solution Candidates to Reveal a Host
              Identifier (HOST_ID) in Shared Address Deployments",
              draft-ietf-intarea-nat-reveal-analysis-02 (work in
              progress), April 2012.

   [I-D.donley-nat444-impacts]
              Donley, C., Howard, L., Kuarsingh, V., Berg, J., and U.
              Colorado, "Assessing the Impact of Carrier-Grade NAT on
              Network Applications", draft-donley-nat444-impacts-04
              (work in progress), May 2012.

   [I-D.boucadair-pcp-bittorrent]
              Boucadair, M., Zheng, T., Deng, X., and J. Queiroz,
              "Behavior of BitTorrent service in PCP-enabled networks
              with Address Sharing", draft-boucadair-pcp-bittorrent-00
              (work in progress), May 2012.

Appendix A.  Change Log (to be removed by RFC Editor prior to
             publication)

A.1.  Changed in -08

   o  Made it super explicit that we're talking about an IPv4-only CGN
      logical *function*, not an IPv4-only CGN *scenario*.  This changes
      and simplifies the definition of CGN a bit.

   o  Did NOT change the intended status.  Further guidance from IESG is
      necessary.

   o  Fixed a huge typo in REQ-7.

   o  Fixed bugs in REQ-5-B justification.

   o  Added REQ-9 items A to D which constrain PCP server behavior.

A.2.  Changed in -07

   o  Fixed sub-requirement numbering in REQ-1.

   o  Reference update.

Perreault, et al.       Expires January 12, 2013               [Page 16]
Internet-Draft              CGN Requirements                   July 2012

   o  Changed REQ-2 back to MUST (from SHOULD).

   o  Added reference to RFC6264 (incremental CGN).

   o  Be more clear that this is not an endorsement of CGN.

   o  Make it clear that this draft is only about IPv4.

   o  Added justification for a bunch of SHOULDs and turned the
      remaining ones into MUSTs.

A.3.  Changed in -06

   o  Expanded some acronyms.

   o  Added example IP addresses to ASCII art.

   o  Reword transport protocol section.

   o  Stronger words of caution about CGNs.

   o  Refer to RFC for DCCP NAT behaviour.

   o  Note in headers and abstract that this updates RFC 4787.

   o  Remove sentence "This is not to be considered a solution to the
      shortage of IPv4 addresses."

   o  Remove text having marketing scent.

   o  Change some "MUST ... unless" requirements to "SHOULD ... unless".

   o  Merge REQ-8 and REQ-9.

   o  PCP is now a MUST.

   o  NAT-MIB is now an example rather than specificially required.

   o  When a quota is hit, send ICMP DU code 1 instead of code 3.

   o  Remove mention of "lawful intercept".

   o  Remove discussion on destination logging from section on bulk port
      allocation.

   o  Remove discussion on address sharing ratio.

Perreault, et al.       Expires January 12, 2013               [Page 17]
Internet-Draft              CGN Requirements                   July 2012

A.4.  Changed in -05

   o  Removed DSCP requirement since it applies to non-CG NATs as well.

   o  Removed instances of "NAT444".

   o  Filtering has no effect on the requirement for a hold down pool.
      Removed REQ-8-B.

   o  Statically assigned port ranges do not need to go in the hold down
      pool.  Added a new REQ-8-B.

   o  Fixed various nits.  More precise text in some places.

A.5.  Changed in -04

   o  Fixed nits, spelling, updated references.

   o  CGNs SHOULD NOT log destinations.

   o  Allow address-dependent filtering when it does not cause the
      application protocol to break.

   o  Refer to RFC4787 security considerations on EIF.

   o  Clarify REQ-12 point D (it does not apply to operator
      intervention).

   o  Changed "CGNs SHOULD limit ..." to "SHOULD support limiting" to
      make it clear that the operator is in control.

   o  Added reference to RFC 4963.

   o  Added requirement for non-contiguous external address pools.

A.6.  Changed in -03

   o  Added exceptions for which it is not necessary to wait 120 seconds
      before reusing a port.

   o  Renamed "random port set" to "scattered port set", which is more
      accurate.

   o  Log "subscriber identifier" instead of internal address+port to
      allow for overlapping internal address ranges (DS-Lite).

   o  Adjusted logging text and added reference to I-D.boucadair-pppext-
      portrange-option.

Perreault, et al.       Expires January 12, 2013               [Page 18]
Internet-Draft              CGN Requirements                   July 2012

   o  Adjusted destination logging text for bulk port allocation
      schemes.

   o  Removed requirement for I-D.ietf-intarea-ipv4-id-update.

   o  Made PCP support a SHOULD-level requirement.

   o  Lowered the level of requirement for not dropping existing
      mappings in order to "make room" to SHOULD level, and added
      rationale.

A.7.  Changed in -02

   o  CGNs MUST support at least TCP, UDP, and ICMP.

   o  Add requirement from I-D.ietf-intarea-ipv4-id-update.

   o  Add informative reference to [RFC6269].

   o  Add requirement (SHOULD level) for a port forwarding protocol.

   o  Allow any pooling behavior on a per-application protocol basis.

   o  Adjust wording for external port allocation rate limiting.

   o  Add requirement for RFC4008 support (SHOULD level).

   o  Adjust wording for swapping address pools when rebooting.

   o  Add DSCP requirement (stolen from draft-jennings-behave-nat6).

   o  Add informative reference to
      draft-boucadair-intarea-nat-reveal-analysis.

   o  Add requirement for hold-down pool.

   o  Change definition of CGN.

   o  Avoid usage of "device" loaded word throughout the document.

   o  Add requirement about resource exhaustion.

   o  Change title.

   o  Describe additional CGN topology where there is no NAT444.

   o  Better justification for "Paired" pool behavior.

Perreault, et al.       Expires January 12, 2013               [Page 19]
Internet-Draft              CGN Requirements                   July 2012

   o  Make it clear that rate limiting allocation is for preserving CPU
      resources

   o  Generalize the requirement for limiting the number of TCP sessions
      per mapping so that it applies to all memory-consuming state
      elements.

   o  Change CPE to subscriber where it applies throughout the text.

   o  Better terminology for bulk port allocation mechanisms.

   o  Explain how external address pairing works with DS-Lite.

A.8.  Changed in -01

   o  Terminology: LSN is now CGN.

   o  Imported all requirements from RFCs 4787, 5382, and 5508.  This
      allowed us to eliminate some duplication.

   o  Added references to
      draft-ietf-intarea-server-logging-recommendations and
      draft-ford-shared-addressing-issues.

   o  Incorporated a requirement from
      draft-xu-behave-stateful-nat-standby-06.

Authors' Addresses

   Simon Perreault (editor)
   Viagenie
   246 Aberdeen
   Quebec, QC  G1R 2E1
   Canada

   Phone: +1 418 656 9254
   Email: simon.perreault@viagenie.ca
   URI:   http://www.viagenie.ca

Perreault, et al.       Expires January 12, 2013               [Page 20]
Internet-Draft              CGN Requirements                   July 2012

   Ikuhei Yamagata
   NTT Communications Corporation
   Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku
   Tokyo  108-8118
   Japan

   Phone: +81 50 3812 4704
   Email: ikuhei@nttv6.jp

   Shin Miyakawa
   NTT Communications Corporation
   Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku
   Tokyo  108-8118
   Japan

   Phone: +81 50 3812 4695
   Email: miyakawa@nttv6.jp

   Akira Nakagawa
   Japan Internet Exchange Co., Ltd. (JPIX)
   Otemachi Building 21F, 1-8-1 Otemachi, Chiyoda-ku
   Tokyo  100-0004
   Japan

   Phone: +81 90 9242 2717
   Email: a-nakagawa@jpix.ad.jp

   Hiroyuki Ashida
   IS Consulting G.K.
   12-17 Odenma-cho Nihonbashi Chuo-ku
   Tokyo  103-0011
   Japan

   Email: assie@hir.jp

Perreault, et al.       Expires January 12, 2013               [Page 21]