PCP Third Party ID Option
draft-ietf-pcp-third-party-id-option-02
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7843.
|
|
|---|---|---|---|
| Authors | Andreas Ripke , Rolf Winter , Thomas Dietz , Juergen Quittek , Rafael Lopez da Silva | ||
| Last updated | 2015-04-28 (Latest revision 2015-02-09) | ||
| Replaces | draft-ripke-pcp-tunnel-id-option | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Telechat review
(of
-04)
by Suresh Krishnan
Almost ready
GENART Last Call review
(of
-03)
by Suresh Krishnan
Almost ready
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | In WG Last Call | |
| Document shepherd | Reinaldo Penno | ||
| IESG | IESG state | Became RFC 7843 (Proposed Standard) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | "Reinaldo Penno" <repenno@cisco.com> |
draft-ietf-pcp-third-party-id-option-02
Internet Engineering Task Force A. Ripke
Internet-Draft R. Winter
Updates: 6887 (if approved) T. Dietz
Intended status: Standards Track J. Quittek
Expires: August 12, 2015 NEC
R. da Silva
Telefonica I+D
February 8, 2015
PCP Third Party ID Option
draft-ietf-pcp-third-party-id-option-02
Abstract
This document describes a new Port Control Protocol (PCP) option
called THIRD_PARTY_ID. It is designed to be used in combination with
the THIRD_PARTY option specified in RFC 6887 but can also be used
without it. The THIRD_PARTY_ID serves to identify a Third Party in
situations where a third party's IP address contained in the
THIRD_PARTY option does not provide sufficient information to create
requested mappings in a PCP-controlled device.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 12, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Ripke, et al. Expires August 12, 2015 [Page 1]
Internet-Draft Third Party ID February 2015
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Target Scenarios . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Carrier-hosted UPnP IGD-PCP IWF . . . . . . . . . . . . . 5
3.2. Carrier Web Portal . . . . . . . . . . . . . . . . . . . 7
3.3. Other Use Cases . . . . . . . . . . . . . . . . . . . . . 7
4. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Result Codes . . . . . . . . . . . . . . . . . . . . . . 9
5. Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1. Generating a Request . . . . . . . . . . . . . . . . . . 9
5.2. Processing a Request . . . . . . . . . . . . . . . . . . 9
5.3. Processing a Response . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
The IETF has specified the Port Control Protocol (PCP) [RFC6887] to
control how packets are translated and forwarded by a PCP-controlled
device such as a network address translator (NAT) or firewall.
This document focuses on the scenarios where the PCP client sends
requests that concern internal addresses other than the address of
the PCP client itself.
There is already an option defined for this purpose in the RFC 6887
[RFC6887] called the THIRD_PARTY option. The THIRD_PARTY option
carries the IP address of a host for which a PCP client requests an
action at the PCP server. The THIRD_PARTY option can, for example,
be used if port mapping requests for a carrier-grade NAT (CGN) are
not sent from PCP clients at subscriber's terminals, but, for
example, from a PCP Interworking Function which requests port
mappings.
Ripke, et al. Expires August 12, 2015 [Page 2]
Internet-Draft Third Party ID February 2015
In some cases, the THIRD_PARTY option is not sufficient and further
means are needed for identifying the third party. Such cases are
addressed by the THIRD_PARTY_ID option, that is specified in this
document.
The primary issue addressed by the THIRD_PARTY_ID option is that
there are CGN deployments that do not distinguish internal hosts by
their IP address alone, but use further identifiers (IDs) for unique
subscriber identification. This is, for example, the case if a CGN
supports overlapping private or shared IP address spaces
[RFC1918][RFC6598] for internal hosts of different subscribers. In
such cases, different internal hosts are identified and mapped at the
CGN by their IP address and/or another ID, for example, the ID of a
tunnel between the CGN and the subscriber. In these scenarios (and
similar ones), the internal IP address contained in the THIRD_PARTY
option is not sufficient to de-multiplex connections from internal
hosts. An additional identifier needs to be present in the PCP
message in order to uniquely identify an internal host. The
THIRD_PARTY_ID option is used to carry this ID.
This applies to some of the PCP deployment scenarios that are listed
in Section 2.1 of RFC 6887 [RFC6887], in particular to a Layer-2
aware NAT which is described in more detail in Section 3, or GI-DS-
Lite [RFC6674] and ds-extra-lite [RFC6619].
The THIRD_PARTY_ID option is defined for the PCP opcodes MAP and
PEER. It can be used alone or in combination with the THIRD_PARTY
option for the PCP opcodes MAP and PEER.
2. Terminology
The terminology defined in the specification of PCP [RFC6887]
applies.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
3. Target Scenarios
This section describes two scenarios that illustrate the use of the
THIRD_PARTY_ID option:
1. a UPnP IGD-PCP IWF (Universal Plug and Play Internet Gateway
Device - Port Control Protocol Interworking Function [RFC6970]),
2. a carrier web portal for port mapping.
Ripke, et al. Expires August 12, 2015 [Page 3]
Internet-Draft Third Party ID February 2015
The scenarios serve as examples. This document does not restrict the
applicability of the THIRD_PARTY_ID to certain scenarios. Both
scenarios are refinements of the same basic scenario shown in
Figure 1 which is considered as a PCP deployment scenario employing
Layer-2 aware NATs as listed in Section 2.1 of [RFC6887]. It has a
carrier operating a CGN and a Port Control Protocol Interworking
Function (PCP IWF) [RFC6970] for subscribers to request port mappings
at the CGN. The PCP IWF communicates with the CGN using PCP. For
this purpose the PCP IWF contains a PCP client serving multiple
subscribers and the CGN is co-located with a PCP server. The way
subscribers interact with the PCP IWF for requesting port mappings
for their internal hosts is not specified in this basic scenario, but
it is elaborated on more in the specific scenarios in Section 3.1 and
Section 3.2.
The CGN operates as a Layer-2 aware NAT. Unlike a standard NAT, it
includes a subscriber identifier in addition to the source IP address
in entries of the NAT mapping table.
+--------------+ +------------------+
| Subscriber | | Carrier | ==== L2 connection(s)
| | | +--------------+ | between subscriber
| +......+ PCP | | and CGN
| +----------+ | | | Interworking | | #### PCP communication
| | Internal | | | | Function | | .... Subscriber - IWF
| | Host | | | +-----#--------+ | interaction
| +----+-----+ | | # | (elaborated
| | | | +-----#--------+ | in specific
| +----+-----+ | | | PCP Server | | scenarios below)
| | CPE | | | | | |
| | +-+======+ CGN L2NAT +--------- Public Internet
| +----------+ | | +--------------+ |
+--------------+ +------------------+
Figure 1: Carrier hosted PCP IWF for port mapping requests
Internal hosts in the subscriber's network use private IP addresses
([RFC1918]). There is no NAT between the internal host and the CGN,
and there is an overlap of addresses used by internal hosts at
different subscribers. That is why the CGN needs more than just the
internal host's IP address to distinguish internal hosts at different
subscribers. A commonly deployed method for solving this issue is
using an additional identifier for this purpose. A natural candidate
for this additional identifier at the CGN is the ID of the tunnel
that connects the CGN to the subscriber's network. The subscriber's
CPE operates as a Layer-2 bridge.
Ripke, et al. Expires August 12, 2015 [Page 4]
Internet-Draft Third Party ID February 2015
Requests for port mappings from the PCP IWF to the CGN need to
uniquely identify the internal host for which a port mapping is to be
established or modified. Already existing for this purpose is the
THIRD_PARTY option that can be used to specify the internal host's IP
address. The THIRD_PARTY_ID option is introduced for carrying the
additional third party information needed to identify the internal
host in this scenario.
The additional identifier for internal hosts needs to be included in
MAP requests from the PCP IWF in order to uniquely identify the
internal host that should have its address mapped. This is the
purpose that the new THIRD_PARTY_ID serves in this scenario. It
carries the additional identifier, that is the tunnel ID, that serves
for identifying an internal host in combination with the internal
host's (private) IP address. The IP address of the internal host is
included in the PCP IWF's mapping requests by using the THIRD_PARTY
option.
The information carried by the THIRD_PARTY_ID is not just needed to
identify an internal host in a PCP request. The CGN needs this
information in its internal mapping tables for translating packet
addresses and for forwarding packets to subscriber-specific tunnels.
How the carrier PCP IWF is managing port mappings, such as, for
example, automatically extending the lifetime of a mapping, is beyond
the scope of this document.
3.1. Carrier-hosted UPnP IGD-PCP IWF
This scenario further elaborates the basic one above by choosing
UPnP-IGD as the communication protocol between the subscriber and the
carrier's PCP IWF. Then obviously, the PCP IWF is realized as a UPnP
IGD-PCP IWF as specified in [RFC6970].
As shown in Figure 2 it is assumed here that the UPnP IGD-PCP IWF is
not embedded in the subscriber premises router, but offered as a
service to the subscriber. Further, it is assumed that the UPnP IGD-
PCP IWF is not providing NAT functionality.
This requires that the subscriber is able to connect to the UPnP IGD-
PCP IWF to request port mappings at the CGN using UPnP-IGD as
specified in [RFC6970]. In this scenario the connection is provided
via (one of the) tunnel(s) connecting the subscriber's network to the
BRAS and an extension of this tunnel from the BRAS to the UPnP IGD-
PCP IWF. Note that there are other alternatives that can be used for
providing the connection to the UPnP IGD-PCP IWF. The tunnel
extension used in this scenario can, for example, be realized by a
forwarding function for UPnP messages at the BRAS that forwards such
Ripke, et al. Expires August 12, 2015 [Page 5]
Internet-Draft Third Party ID February 2015
messages through per-subscriber tunnels to the UPnP IGD-PCP IWF.
Depending on an actual implementation, the UPnP IGD-PCP IWF can then
either use the ID of the tunnel in which the UPnP message arrived
directly as THIRD_PARTY_ID for PCP requests to the CGN or it uses the
ID of the tunnel to retrieve the THIRD_PARTY_ID from the AAA server.
To support the latter option, the BRAS needs to register the
subscriber's tunnel IDs at the AAA Server at the time it contacts the
AAA server for authentication and/or authorization of the subscriber.
The tunnel IDs to be registered per subscriber at the AAA server may
include the tunnel between CPE and BRAS, between BRAS and UPnP IGD-
PCP IWF, and between BRAS and CGN. The UPnP IGD-PCP IWF queries the
AAA Server for the ID of the tunnel between BRAS and CGN, because
this is the identifier to be used as the THIRD_PARTY_ID in the
subsequent port mapping request.
+--------------+ +------------------------------------+
| Subscriber | | Carrier |
| | | +----------------------------+ |
| | | | AAA Server | |
| | | +-----+---------------+------+ |
| | | | | |
| +----------+ | | +-----+---+ +-----+------+ |
| | Internal | | | | +=====+ | |
| | Host | | | | ...........| UPnP IGD | |
| +----+-----+ | | | . +=====+ PCP IWF | |
| | . | | | . | +-----#------+ |
| +----+--.--| | | | . | # |
| | | . +========+ . | +-----#------+ |
| | | .................. +=====+ PCP Server | |
| | +------------------------------| | |
| | CPE +========+ BRAS +=====+ CGN L2NAT +------- Public
| +----------+ | | +---------+ +------------+ | Internet
+--------------+ +------------------------------------+
==== L2 tunnel borders between subscriber, BRAS, IWF, and CGN
.... UPnP communication
#### PCP communication
Figure 2: UPnP IGD-PCP IWF
A potential extension to [RFC6970] regarding an additional state
variable for the THIRD_PARTY_ID and regarding an additional error
code for a mismatched THIRD_PARTY_ID and its processing might be a
logical next step. However, this is not in the scope of this
document.
Ripke, et al. Expires August 12, 2015 [Page 6]
Internet-Draft Third Party ID February 2015
3.2. Carrier Web Portal
This scenario shown in Figure 3 is different from the previous one
concerning the protocol used between the subscriber and the IWF.
Here, HTTP(S) is the protocol that the subscriber uses for port
mapping requests. The subscriber may make requests manually using a
web browser or automatically - as in the previous scenario - with
applications in the subscriber's network issuing port mapping
requests on demand. The Web Portal queries the AAA Server for the
subscriber's tunnel ID of tunnel(BRAS, CGN) which was reported by the
BRAS. The returned tunnel ID of tunnel(BRAS, CGN) is used as the
THIRD_PARTY_ID in the subsequent port mapping request.
+--------------+ +------------------------------------+
| Subscriber | | Carrier |
| | | +------------+ |
| | | +------------+ | Web Portal | |
| +----------+ | | | AAA Server +--+ +--+ |
| | Internal | | | +-----+------+ | PCP Client | | |
| | Host | | | | +-----#------+ | |
| +----+-----+ | | | # | |
| | | | +-----+---+ +-----#------+ | |
| +----+-----+ | | | | | PCP Server | | |
| | CPE | | | | BRAS | | | | |
| | +-+======+ +=====+ CGN L2NAT +--+---- Public
| +----------+ | | +---------+ +------------+ | Internet
+--------------+ +------------------------------------+
==== L2 tunnel(s) between subscriber, BRAS, and CGN
#### PCP communication
Figure 3: Carrier Web Portal
The PCP IWF is realized as a combination of a web server and a PCP
Client.
3.3. Other Use Cases
Despite the fact that above scenarios solely use tunnel IDs the
THIRD_PARTY_ID can include any Layer-2 identifier like a MAC address
or other subscriber identifiers as mentioned in section 6 of
[I-D.boucadair-pcp-sfc-classifier-control].
The THIRD_PARTY_ID can also be used for the firewall control,
including the case of a virtual CPE, see section 3 of
[I-D.lee-vhs-usecases].
Ripke, et al. Expires August 12, 2015 [Page 7]
Internet-Draft Third Party ID February 2015
4. Format
The THIRD_PARTY_ID option is formatted as shown in Figure 4.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| THIRD_PARTY_ID |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: THIRD_PARTY_ID Option
o Option Name: THIRD_PARTY_ID
o Number: TBD
o Purpose: Identifies a third party for which a request for an
external IP address and port is made.
o Valid for opcodes: MAP, PEER, and all other for which the
THIRD_PARTY option is valid for.
o Length: Variable.
o MAY appear in: request. MUST appear in response if it appeared in
the associated request.
o Maximum occurrences: 1
The fields are as follows:
o THIRD_PARTY_ID: A deployment specific identifier that can be used
to identify a subscriber's session on a PCP-controlled device.
The THIRD_PARTY_ID is not bound to any specific identifier. The
Option Length is variable and specifies the length of the
THIRD_PARTY_ID field in octets as described in Section 7.3 of
[RFC6887].
The identifier field can contain any deployment specific value the
PCP client and the PCP server agree on. How this agreement is
reached if both PCP server and client are not administered by the
same entity is beyond the scope of this document. The option number
is in the mandatory-to-process range (0-127), meaning that a request
Ripke, et al. Expires August 12, 2015 [Page 8]
Internet-Draft Third Party ID February 2015
with a THIRD_PARTY_ID option is processed by the PCP server if and
only if the THIRD_PARTY_ID option is supported by the PCP server.
4.1. Result Codes
The following PCP Result Codes are new:
THIRD_PARTY_ID_UNKNOWN: The provided identifier in a THIRD_PARTY_ID
option is unknown/unavailable to the PCP server. This is a long
lifetime error.
THIRD_PARTY_MISSING_OPTION: This error occurs if both THIRD_PARTY
and THIRD_PARTY_ID options are expected in a request but one
option is missing. This is a long lifetime error.
UNSUPP_THIRD_PARTY_ID_LENGTH: The received option length is not
supported. This is a long lifetime error.
5. Behavior
The following sections describe the operations of a PCP client and a
PCP server when generating the request and processing the request and
response.
5.1. Generating a Request
In addition to generating a PCP request that is described in
[RFC6887] the following has to be applied. The THIRD_PARTY_ID option
MAY be included either in a PCP MAP or PEER opcode. It MAY be used
alone or in combination with the THIRD_PARTY option which provides an
IP address. The THIRD_PARTY_ID option holds an identifier to allow
the PCP-controlled device to uniquely identify the internal host
(specified in the THIRD_PARTY option) for which the port mapping is
to be established or modified. The padding rules described in
Section 7.3 of [RFC6887] apply.
5.2. Processing a Request
The THIRD_PARTY_ID option is in the mandatory-to-process range and if
the PCP server does not support this option it MUST return an
UNSUPP_OPTION response. If the provided identifier in a
THIRD_PARTY_ID option is unknown/unavailable the PCP server MUST
return a THIRD_PARTY_ID_UNKNOWN response. If the PCP server receives
a request with a not supported THIRD_PARTY_ID option length, it MUST
return a UNSUPP_THIRD_PARTY_ID_LENGTH response. If the PCP server
expects both THIRD_PARTY and THIRD_PARTY_ID options but receives only
one option, it MUST return a THIRD_PARTY_MISSING_OPTION response.
Ripke, et al. Expires August 12, 2015 [Page 9]
Internet-Draft Third Party ID February 2015
Upon receiving a valid request with a legal THIRD_PARTY_ID option
identifier the message is processed as specified in [RFC6887], except
that the THIRD_PARTY_ID option identifier used in addition when
accessing a mapping table.
5.3. Processing a Response
In addition to the response processing described in [RFC6887] if the
PCP client receives a THIRD_PARTY_ID_UNKNOWN or a
UNSUPP_THIRD_PARTY_ID_LENGTH or a THIRD_PARTY_MISSING_OPTION response
back for its previous request it SHOULD report an error. To where to
report an error is implementation dependent.
6. IANA Considerations
The following PCP Option Code is to be allocated in the mandatory-to-
process range:
o THIRD_PARTY_ID
[NOTE for IANA: Please allocate a PCP Option Code at
http://www.iana.org/assignments/pcp-parameters/pcp-
parameters.xml#option-rules]
The following PCP Result Codes are to be allocated:
o THIRD_PARTY_ID_UNKNOWN
o THIRD_PARTY_MISSING_OPTION
o UNSUPP_THIRD_PARTY_ID_LENGTH
[NOTE for IANA: Please allocate PCP Result Codes at
http://www.iana.org/assignments/pcp-parameters/pcp-
parameters.xml#result-codes]
7. Security Considerations
As this option is related to the use of the THIRD_PARTY option the
corresponding security considerations in Section 18.1.1 of RFC 6887
[RFC6887] apply. Especially, the network on which the PCP messages
are sent must be fully trusted. The THIRD_PARTY_ID option might
carry privacy information like location or profile information.
Means to protect unauthorized access to this information should be
put in place.
Ripke, et al. Expires August 12, 2015 [Page 10]
Internet-Draft Third Party ID February 2015
8. Acknowledgments
Thanks to Mohamed Boucadair, Dave Thaler, Tom Taylor, and Dan Wing
for their comments and review.
Thanks to Mohamed Boucadair for many references and suggesting a
variable length for the THIRD_PARTY_ID.
9. References
9.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", BCP
5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and
M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address
Space", BCP 153, RFC 6598, April 2012.
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013.
9.2. Informative References
[I-D.boucadair-pcp-sfc-classifier-control]
Boucadair, M., "PCP as a Traffic Classifier Control
Protocol", draft-boucadair-pcp-sfc-classifier-control-01
(work in progress), October 2014.
[I-D.lee-vhs-usecases]
Lee, Y. and C. Xie, "Virtual Home Services Use Cases",
draft-lee-vhs-usecases-02 (work in progress), November
2014.
[RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
Operation of Address Translators with Per-Interface
Bindings", RFC 6619, June 2012.
[RFC6674] Brockners, F., Gundavelli, S., Speicher, S., and D. Ward,
"Gateway-Initiated Dual-Stack Lite Deployment", RFC 6674,
July 2012.
Ripke, et al. Expires August 12, 2015 [Page 11]
Internet-Draft Third Party ID February 2015
[RFC6970] Boucadair, M., Penno, R., and D. Wing, "Universal Plug and
Play (UPnP) Internet Gateway Device - Port Control
Protocol Interworking Function (IGD-PCP IWF)", RFC 6970,
July 2013.
Authors' Addresses
Andreas Ripke
NEC
Heidelberg
Germany
Email: ripke@neclab.eu
Rolf Winter
NEC
Heidelberg
Germany
Email: winter@neclab.eu
Thomas Dietz
NEC
Heidelberg
Germany
Email: dietz@neclab.eu
Juergen Quittek
NEC
Heidelberg
Germany
Email: quittek@neclab.eu
Rafael Lopez da Silva
Telefonica I+D
Madrid
Spain
Email: ralds@tid.es
Ripke, et al. Expires August 12, 2015 [Page 12]