idnits 2.17.00 (12 Aug 2021) /tmp/idnits43249/draft-ietf-radext-ip-port-radius-ext-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1586 has weird spacing: '...v4-Addr see...' == Line 1587 has weird spacing: '...v4-Addr see...' == Line 1588 has weird spacing: '...v6-Addr see...' -- The document date (November 14, 2016) is 2007 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-radext-datatypes has been published as RFC 8044 -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'ProtocolNumbers' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Cheng 3 Internet-Draft Huawei 4 Intended status: Standards Track J. Korhonen 5 Expires: May 18, 2017 Broadcom Corporation 6 M. Boucadair 7 Orange 8 S. Sivakumar 9 Cisco Systems 10 November 14, 2016 12 RADIUS Extensions for IP Port Configuration and Reporting 13 draft-ietf-radext-ip-port-radius-ext-17 15 Abstract 17 This document defines three new RADIUS attributes. For devices that 18 implement IP port ranges, these attributes are used to communicate 19 with a RADIUS server in order to configure and report IP transport 20 ports, as well as mapping behavior for specific hosts. This 21 mechanism can be used in various deployment scenarios such as 22 Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. 23 This document defines a mapping between some RADIUS attributes and 24 IPFIX Information Element Identifiers. 26 Requirements Language 28 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 29 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 30 document are to be interpreted as described in RFC 2119 [RFC2119]. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at http://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on May 18, 2017. 49 Copyright Notice 51 Copyright (c) 2016 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 69 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 70 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 71 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 72 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11 73 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 74 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14 75 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15 76 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 16 77 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 78 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 79 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 80 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19 81 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20 82 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21 83 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22 84 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22 85 4. Applications, Use Cases and Examples . . . . . . . . . . . . 24 86 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24 87 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 88 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 89 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28 90 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30 91 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31 92 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32 93 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 94 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 95 7.1. IANA Considerations on New IPFIX Information 96 Elements . . . . . . . . . . . . . . . . . . . . . . . . 34 98 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34 99 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35 100 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 101 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 102 9.1. Normative References . . . . . . . . . . . . . . . . . . 36 103 9.2. Informative References . . . . . . . . . . . . . . . . . 37 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 106 1. Introduction 108 In a broadband network, customer information is usually stored on a 109 RADIUS server [RFC2865]. At the time when a user initiates an IP 110 connection request, if this request is authorized, the RADIUS server 111 will populate the user's configuration information to the Network 112 Access Server (NAS), which is often referred to as a Broadband 113 Network Gateway (BNG) in broadband access networks. The Carrier- 114 Grade NAT (CGN) function may also be implemented on the BNG. Within 115 this document, the CGN may perform NAT44 [RFC3022], NAT64 [RFC6146], 116 or Dual-Stack Lite AFTR [RFC6333] function. In such case, the CGN IP 117 transport port (e.g., TCP/UDP port) mapping(s) behavior(s) can be 118 part of the configuration information sent from the RADIUS server to 119 the NAS/BNG. The NAS/BNG may also report to the RADIUS Server the IP 120 port mapping behavior applied by the CGN to a user session to the 121 RADIUS server, as part of the accounting information sent from the 122 NAS/BNG to a RADIUS server. 124 When IP packets traverse the CGN, it performs mapping on the IP 125 transport (e.g., TCP/UDP) source port as required. An IP transport 126 source port, along with source IP address, destination IP address, 127 destination port and protocol identifier if applicable, uniquely 128 identify a mapping. Since the number space of IP transport ports in 129 CGN's external realm is shared among multiple users assigned with the 130 same IPv4 address, the total number of a user's simultaneous IP 131 mappings is likely to be subject to port quota (see Section 5 of 132 [RFC6269]). 134 The attributes defined in this document may also be used to report 135 the assigned port range in some deployments such as Provider WLAN 136 [I-D.gundavelli-v6ops-community-wifi-svcs]. For example, a visiting 137 host can be managed by a CPE (Customer Premises Equipment ) which 138 will need to report the assigned port range to the service platform. 139 This is required for identification purposes (see TR-146 [TR-146] for 140 more details). 142 This document proposes three new attributes as RADIUS protocol's 143 extensions, and they are used for separate purposes as follows: 145 1. IP-Port-Limit-Info: This attribute may be carried in a RADIUS 146 Access-Accept, Access-Request, Accounting-Request or CoA-Request 147 packet. The purpose of this attribute is to limit the total 148 number of IP source transport ports allocated to a user, 149 associated with one or more IPv4 or IPv6 addresses. 151 2. IP-Port-Range: This attribute may be carried in a RADIUS 152 Accounting-Request packet. The purpose of this attribute is for 153 an address sharing device (e.g., a CGN) to report to the RADIUS 154 server the range of IP source transport ports that have been 155 allocated or deallocated for a user. The port range is bound to 156 an external IPv4 address. 158 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS 159 Access-Accept, Access-Request, Accounting-Request or CoA-Request 160 packet. The purpose of this attribute is to specify how an IP 161 internal source transport port together with its internal IPv4 or 162 IPv6 address are mapped to an external source transport port 163 along with the external IPv4 address. 165 IPFIX Information Elements [RFC7012] can be used for IP flow 166 identification and representation over RADIUS. This document 167 provides a mapping between some RADIUS TLVs and IPFIX Information 168 Element Identifiers. A new IPFIX Information Element is defined by 169 this document (see Section 3.2.2). 171 IP protocol numbers (refer to [ProtocolNumbers]) can be used for 172 identification of IP transport protocols (e.g., TCP [RFC0793], UDP 173 [RFC0768], DCCP [RFC4340], and SCTP [RFC4960]) that are associated 174 with some RADIUS attributes. 176 This document focuses on IPv4 address sharing. IPv6 prefix sharing 177 mechanisms (e.g., NPTv6) are out of scope. 179 2. Terminology 181 This document makes use of the following terms: 183 o IP Port: refers to IP transport port (e.g., TCP port number, UDP 184 port number). 186 o IP Port Type: refers to the IP transport protocol as indicated by 187 the IP transport protocol number, refer to (refer to 188 [ProtocolNumbers]) 190 o IP Port Limit: denotes the maximum number of IP ports for a 191 specific (or all) IP transport protocol(s), that a device 192 supporting port ranges can use when performing port number 193 mappings for a specific user/host. Note, this limit is usually 194 associated with one or more IPv4/IPv6 addresses. 196 o IP Port Range: specifies a set of contiguous IP ports, indicated 197 by the lowest numerical number and the highest numerical number, 198 inclusively. 200 o Internal IP Address: refers to the IP address that is used by a 201 host as a source IP address in an outbound IP packet sent towards 202 a device supporting port ranges in the internal realm. The 203 internal IP address may be IPv4 or IPv6. 205 o External IP Address: refers to the IP address that is used as a 206 source IP address in an outbound IP packet after traversing a 207 device supporting port ranges in the external realm. This 208 document assumes that the external IP address is an IPv4 address. 210 o Internal Port: is an IP transport port, which is allocated by a 211 host or application behind an address sharing device for an 212 outbound IP packet in the internal realm. 214 o External Port: is an IP transport port, which is allocated by an 215 address sharing device upon receiving an outbound IP packet in the 216 internal realm, and is used to replace the internal port that is 217 allocated by a user or application. 219 o External realm: refers to the networking segment where external IP 220 addresses are used as source addresses of outbound packets 221 forwarded by an address sharing device. 223 o Internal realm: refers to the networking segment that is behind an 224 address sharing device and where internal IP addresses are used. 226 o Mapping: denotes a relationship between an internal IP address, 227 internal port and the protocol, and an external IP address, 228 external port, and the protocol. 230 o Address sharing device: a device that is capable of sharing an 231 IPv4 address among multiple users. A typical example of this 232 device is a CGN, CPE, Provider WLAN Gateway, etc. 234 3. Extensions of RADIUS Attributes and TLVs 236 These three new attributes are defined in the following sub-sections: 238 1. IP-Port-Limit-Info Attribute 240 2. IP-Port-Range Attribute 241 3. IP-Port-Forwarding-Map Attribute 243 All these attributes are allocated from the RADIUS "Extended Type" 244 code space per [RFC6929]. 246 These attributes and their embedded TLVs (refer to Section 3.2) are 247 defined with globally unique names and follow the guideline in 248 Section 2.7.1 of [RFC6929]. 250 In all the figures describing the RADIUS attributes and TLV formats 251 in the following sub-sections, the fields are transmitted from left 252 to right. 254 3.1. Extended Attributes for IP Ports 256 3.1.1. IP-Port-Limit-Info Attribute 258 This attribute is of type "TLV" as defined in the RADIUS Protocol 259 Extensions [RFC6929]. It contains some sub-attributes and the 260 requirement is as follows: 262 o The IP-Port-Limit-Info Attribute MAY contain the IP-Port-Type TLV 263 (see Section 3.2.1). 265 o The IP-Port-Limit-Info Attribute MUST contain the IP-Port-Limit 266 TLV (see Section 3.2.2). 268 o The IP-Port-Limit-Info Attribute MAY contain the IP-Port-Ext- 269 IPv4-Addr TLV (see Section 3.2.3). 271 The IP-Port-Limit-Info Attribute specifies the maximum number of IP 272 ports as indicated in IP-Port-Limit TLV, of a specific IP transport 273 protocol as indicated in IP-Port-Type TLV, and associated with a 274 given IPv4 address as indicated in IP-Port-Ext-IPv4-Addr TLV for an 275 end user. 277 Note that when IP-Port-Type TLV is not included as part of the IP- 278 Port-Limit-Info Attribute, the port limit applies to all IP transport 279 protocols. 281 Note also that when IP-Port-Ext-IPv4-Addr TLV is not included as part 282 of the IP-Port-Limit-Info Attribute, the port limit applies to all 283 the IPv4 addresses managed by the address sharing device, e.g., a CGN 284 or NAT64 device. 286 The IP-Port-Limit-Info Attribute MAY appear in an Access-Accept 287 packet. It MAY also appear in an Access-Request packet as a 288 preferred maximum number of IP ports indicated by the device 289 supporting port ranges co-located with the NAS, e.g., a CGN or NAT64. 291 The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet. 293 The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request 294 packet. 296 The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS 297 packet. 299 The format of the IP-Port-Limit-Info Attribute is shown in Figure 1. 301 0 1 2 3 302 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 304 | Type | Length | Extended-Type | Value ... 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 307 Figure 1 309 Type 311 241 313 Length 315 This field indicates the total length in bytes of all fields of 316 this attribute, including the Type, Length, Extended-Type, and the 317 entire length of the embedded TLVs. 319 Extended-Type 321 5 323 Value 325 This field contains a set of TLVs as follows: 327 IP-Port-Type TLV 329 This TLV contains a value that indicates the IP port type. 330 Refer to Section 3.2.1. 332 IP-Port-Limit TLV 334 This TLV contains the maximum number of IP ports of a specific 335 IP port type and associated with a given IPv4 address for an 336 end user. This TLV MUST be included in the IP-Port-Limit-Info 337 Attribute. Refer to Section 3.2.2. This limit applies to all 338 mappings that can be instantiated by an underlying address 339 sharing device without soliciting any external entity. In 340 particular, this limit does not include the ports that are 341 instructed by an AAA server. 343 IP-Port-Ext-IPv4-Addr TLV 345 This TLV contains the IPv4 address that is associated with the 346 IP port limit contained in the IP-Port-Limit TLV. This TLV is 347 optionally included as part of the IP-Port-Limit-Info 348 Attribute. Refer to Section 3.2.3. 350 IP-Port-Limit-Info Attribute is associated with the following 351 identifier: 241.5. 353 3.1.2. IP-Port-Range Attribute 355 This attribute is of type "TLV" as defined in the RADIUS Protocol 356 Extensions [RFC6929]. It contains some sub-attributes and the 357 requirement is as follows: 359 o The IP-Port-Range Attribute MAY contain the IP-Port-Type TLV (see 360 Section 3.2.1). 362 o The IP-Port-Range Attribute MUST contain the IP-Port-Alloc TLV 363 (see Section 3.2.8). 365 o For port allocation, the IP-Port-Range Attribute MUST contain both 366 the IP-Port-Range-Start TLV (see Section 3.2.9) and the IP-Port- 367 Range-END TLV (see Section 3.2.10). For port deallocation, the 368 IP-Port-Range Attribute MAY contain both of these two TLVs; if the 369 two TLVs are not included, it implies that all ports that were 370 previously allocated are now all deallocated. 372 o The IP-Port-Range Attribute MAY contain the IP-Port-Ext-IPv4-Addr 373 TLV (see Section 3.2.3). 375 o The IP-Port-Range Attribute MAY contain the IP-Port-Local-Id TLV 376 (see Section 3.2.11). 378 The IP-Port-Range Attribute contains a range of contiguous IP ports. 379 These ports are either to be allocated or deallocated depending on 380 the Value carried by the IP-Port-Alloc TLV. 382 If the IP-Port-Type TLV is included as part of the IP-Port-Range 383 Attribute, the port range is associated with the specific IP 384 transport protocol as specified in the IP-Port-Type TLV, but 385 otherwise is for all IP transport protocols. 387 If the IP-Port-Ext-IPv4-Addr TLV is included as part of the IP-Port- 388 Range Attribute, the port range as specified is associated with IPv4 389 address as indicated, but otherwise is for all IPv4 addresses by the 390 address sharing device (e.g., a CGN device) for the end user. 392 This attribute can be used to convey a single IP transport port 393 number; in such case the Value of the IP-Port-Range-Start TLV and the 394 IP-Port-Range-End TLV, respectively, contain the same port number. 396 The information contained in the IP-Port-Range Attribute is sent to 397 RADIUS server. 399 The IP-Port-Range Attribute MAY appear in an Accounting-Request 400 packet. 402 The IP-Port-Range Attribute MUST NOT appear in any other RADIUS 403 packet. 405 The format of the IP-Port-Range Attribute is shown in Figure 2. 407 0 1 2 3 408 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 410 | Type | Length | Extended-Type | Value ... 411 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 413 Figure 2 415 Type 417 241 419 Length 421 This field indicates the total length in bytes of all fields of 422 this attribute, including the Type, Length, Extended-Type, and the 423 entire length of the embedded TLVs. 425 Extended-Type 427 6 429 Value 430 This field contains a set of TLVs as follows: 432 IP-Port-Type TLV 434 This TLV contains a value that indicates the IP port type. 435 Refer to Section 3.2.1. 437 IP-Port-Alloc TLV 439 This TLV contains a flag to indicate that the range of the 440 specified IP ports for either allocation or deallocation. This 441 TLV MUST be included as part of the IP-Port-Range Attribute. 442 Refer to Section 3.2.8. 444 IP-Port-Range-Start TLV 446 This TLV contains the smallest port number of a range of 447 contiguous IP ports. To report the port allocation, this TLV 448 MUST be included together with IP-Port-Range-End TLV as part of 449 the IP-Port-Range Attribute. Refer to Section 3.2.9. 451 IP-Port-Range-End TLV 453 This TLV contains the largest port number of a range of 454 contiguous IP ports. To report the port allocation, this TLV 455 MUST be included together with IP-Port-Range-Start TLV as part 456 of the IP-Port-Range Attribute. Refer to Section 3.2.10. 458 IP-Port-Ext-IPv4-Addr TLV 460 This TLV contains the IPv4 address that is associated with the 461 IP port range, as collectively indicated in the IP-Port-Range- 462 Start TLV and the IP-Port-Range-End TLV. This TLV is 463 optionally included as part of the IP-Port-Range Attribute. 464 Refer to Section 3.2.3. 466 IP-Port-Local-Id TLV 468 This TLV contains a local session identifier at the customer 469 premise, such as MAC address, interface ID, VLAN ID, PPP 470 sessions ID, VRF ID, IP address/prefix, etc. This TLV is 471 optionally included as part of the IP-Port-Range Attribute. 472 Refer to Section 3.2.11. 474 The IP-Port-Range attribute is associated with the following 475 identifier: 241.6. 477 3.1.3. IP-Port-Forwarding-Map Attribute 479 This attribute is of type "TLV" as defined in the RADIUS Protocol 480 Extensions [RFC6929]. It contains some sub-attributes and the 481 requirement is as follows: 483 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port-Type 484 TLV (see Section 3.2.1). 486 o The IP-Port-Forwarding-Map Attribute MUST contain both IP-Port- 487 Int-Port TLV (see Section 3.2.6) and the IP-Port-Ext-Port TLV (see 488 Section 3.2.7). 490 o If the internal realm is with IPv4 address family, the IP-Port- 491 Forwarding-Map Attribute MUST contain the IP-Port-Int-IPv4-Addr 492 TLV (see Section 3.2.4); if the internal realm is with IPv6 493 address family, the IP-Port-Forwarding-Map Attribute MUST contain 494 the IP-Port-Int-IPv6-Addr TLV (see Section 3.2.5). 496 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port-Ext- 497 IPv4-Addr TLV (see Section 3.2.3). 499 o The IP-Port-Forwarding-Map Attribute MAY contain the IP-Port- 500 Local-Id TLV (see Section 3.2.11). 502 The attribute contains a 2-byte IP internal port number and a 2-byte 503 IP external port number. The internal port number is associated with 504 an internal IPv4 or IPv6 address that MUST always be included. The 505 external port number is associated with a specific external IPv4 506 address if included, but otherwise with all external IPv4 addresses 507 for the end user. 509 If the IP-Port-Type TLV is included as part of the IP-Port- 510 Forwarding-Map Attribute, the port mapping is associated with the 511 specific IP transport protocol as specified in the IP-Port-Type TLV, 512 but otherwise is for all IP transport protocols. 514 The IP-Port-Forwarding-Map Attribute MAY appear in an Access-Accept 515 packet. It MAY also appear in an Access-Request packet to indicate a 516 preferred port mapping by the device co-located with NAS. However 517 the server is not required to honor such a preference. 519 The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request 520 packet. 522 The IP-Port-Forwarding-Map Attribute MAY also appear in an 523 Accounting-Request packet. 525 The IP-Port-Forwarding-Map Attribute MUST NOT appear in any other 526 RADIUS packet. 528 The format of the IP-Port-Forwarding-Map Attribute is shown in 529 Figure 3. 531 0 1 2 3 532 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 534 | Type | Length | Extended-Type | Value .... 535 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 537 Figure 3 539 Type 541 241 543 Length 545 This field indicates the total length in bytes of all fields of 546 this attribute, including the Type, Length, Extended-Type, and the 547 entire length of the embedded TLVs. 549 Extended-Type 551 7 553 Value 555 This field contains a set of TLVs as follows: 557 IP-Port-Type TLV 559 This TLV contains a value that indicates the IP port type. 560 Refer to Section 3.2.1. 562 IP-Port-Int-Port TLV 564 This TLV contains an internal IP port number associated with an 565 internal IPv4 or IPv6 address. This TLV MUST be included 566 together with IP-Port-Ext-Port TLV as part of the IP-Port- 567 Forwarding-Map attribute. Refer to Section 3.2.6. 569 IP-Port-Ext-Port TLV 570 This TLV contains an external IP port number associated with an 571 external IPv4 address. This TLV MUST be included together with 572 IP-Port-Int-Port TLV as part of the IP-Port-Forwarding-Map 573 attribute. Refer to Section 3.2.7. 575 IP-Port-Int-IPv4-Addr TLV 577 This TLV contains an IPv4 address that is associated with the 578 internal IP port number contained in the IP-Port-Int-Port TLV. 579 For internal realm with IPv4 address family, this TLV MUST be 580 included as part of the IP-Port-Forwarding-Map Attribute. 581 Refer to Section 3.2.4. 583 IP-Port-Int-IPv6-Addr TLV 585 This TLV contains an IPv6 address that is associated with the 586 internal IP port number contained in the IP-Port-Int-Port TLV. 587 For internal realm with IPv6 address family, this TLV MUST be 588 included as part of the IP-Port-Forwarding-Map Attribute. 589 Refer to Section 3.2.5. 591 IP-Port-Ext-IPv4-Addr TLV 593 This TLV contains an IPv4 address that is associated with the 594 external IP port number contained in the IP-Port-Ext-Port TLV. 595 This TLV MAY be included as part of the IP-Port-Forwarding-Map 596 Attribute. Refer to Section 3.2.3. 598 IP-Port-Local-Id TLV 600 This TLV contains a local session identifier at the customer 601 premise, such as MAC address, interface ID, VLAN ID, PPP 602 sessions ID, VRF ID, IP address/prefix, etc. This TLV is 603 optionally included as part of the IP-Port-Forwarding-Map 604 Attribute. Refer to Section 3.2.11. 606 The IP-Port-Forwarding-Map Attribute is associated with the following 607 identifier: 241.7. 609 3.2. RADIUS TLVs for IP Ports 611 The TLVs that are included in the three attributes (see Section 3.1) 612 are defined in the following sub-sections. These TLVs use the format 613 defined in [RFC6929]. As the three attributes carry similar data, we 614 have defined a common set of TLVs which are used for all three 615 attributes. That is, the TLVs have the same name and number, when 616 encapsulated in any one of the three parent attributes. See 617 Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which 618 TLV is permitted within which parent attribute. 620 The encoding of the Value field of these TLVs follows the 621 recommendation of [RFC6158]. In particular, IP-Port-Type, IP-Port- 622 Limit, IP-Port-Int-Port, IP-Port-Ext-Port, IP-Port-Alloc, IP-Port- 623 Range-Start, and IP-Port-Range-End TLVs are encoded in 32 bits as per 624 the recommendation in Appendix A.2.1 of [RFC6158]. 626 3.2.1. IP-Port-Type TLV 628 The format of IP-Port-Type TLV is shown in Figure 4. This attribute 629 carries the IP transport protocol number defined by IANA (refer to 630 [ProtocolNumbers]) 632 0 1 2 3 633 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 634 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 635 | TLV-Type | Length | Protocol-Number 636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 637 Protocol-Number | 638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 640 Figure 4 642 TLV-Type 644 1 646 Length 648 6 650 Protocol-Number 652 Integer. This field contains the data (unsigned8) of the protocol 653 number defined in [ProtocolNumbers], right justified, and the 654 unused bits in this field MUST be set to zero. Protocols that do 655 not use a port number (e.g., Resource Reservation Protocol (RSVP), 656 IP Encapsulating Security Payload (ESP)) MUST NOT be included in 657 the IP-Port-Type TLV. 659 IP-Port-Type TLV MAY be included in the following Attributes: 661 o IP-Port-Limit-Info Attribute, identified as 241.5.1 (see 662 Section 3.1.1). 664 o IP-Port-Range Attribute, identified as 241.6.1 (see 665 Section 3.1.2). 667 o IP-Port-Forwarding-Map Attribute, identified as 241.7.1 (see 668 Section 3.1.3). 670 When the IP-Port-Type TLV is included within a RADIUS Attribute, the 671 associated attribute is applied to the IP transport protocol as 672 indicated by the Protocol-Number only, such as TCP, UDP, SCTP, DCCP, 673 etc. 675 3.2.2. IP-Port-Limit TLV 677 The format of IP-Port-Limit TLV is shown in Figure 5. This attribute 678 carries IPFIX Information Element "sourceTransportPortsLimit (458), 679 which indicates the maximum number of IP transport ports as a limit 680 for an end user to use that is associated with one or more IPv4 or 681 IPv6 addresses. 683 0 1 2 3 684 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 685 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 686 | TLV-Type | Length | sourceTransportPortsLimit 687 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 688 sourceTransportPortsLimit | 689 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 691 Figure 5 693 TLV-Type 695 2 697 Length 699 6 701 sourceTransportPortsLimit 703 Integer. This field contains the data (unsigned16) of 704 sourceTransportPortsLimit (458) defined in IPFIX, right justified, 705 and the unused bits in this field MUST be set to zero. 707 IP-Port-Limit TLV MUST be included as part of the IP-Port-Limit-Info 708 Attribute (refer to Section 3.1.1), identified as 241.5.2. 710 3.2.3. IP-Port-Ext-IPv4-Addr TLV 712 The format of IP-Port-Ext-IPv4-Addr TLV is shown in Figure 6. This 713 attribute carries IPFIX Information Element 225, 714 "postNATSourceIPv4Address", which is the IPv4 source address after 715 NAT operation (refer to [IPFIX]). 717 0 1 2 3 718 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 719 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 720 | TLV-Type | Length | postNATSourceIPv4Address 721 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 722 postNATSourceIPv4Address | 723 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 725 Figure 6 727 TLV-Type 729 3 731 Length 733 6 735 postNATSourceIPv4Address 737 Integer. This field contains the data (ipv4Address) of 738 postNATSourceIPv4Address (225) defined in IPFIX. 740 IP-Port-Ext-IPv4-Addr TLV MAY be included in the following 741 Attributes: 743 o IP-Port-Limit-Info Attribute, identified as 241.5.3 (see 744 Section 3.1.1). 746 o IP-Port-Range Attribute, identified as 241.6.3 (see 747 Section 3.1.2). 749 o IP-Port-Forwarding-Mapping Attribute, identified as 241.7.3 (see 750 Section 3.1.3). 752 3.2.4. IP-Port-Int-IPv4-Addr TLV 754 The format of IP-Port-Int-IPv4 TLV is shown in Figure 7. This 755 attribute carries IPFIX Information Element 8, "sourceIPv4Address", 756 which is the IPv4 source address before NAT operation (refer to 757 [IPFIX]). 759 0 1 2 3 760 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 762 | TLV-Type | Length | sourceIPv4Address 763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 764 sourceIPv4Address | 765 +-+--+-+-+-+-+-+-++-+-+-+-+-+-+-+ 767 Figure 7 769 TLV-Type 771 4 773 Length 775 6 777 sourceIPv4Address 779 Integer. This field contains the data (ipv4Address) of 780 sourceIPv4Address (8) defined in IPFIX. 782 If the internal realm is with IPv4 address family, the IP-Port-Int- 783 IPv4-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map 784 Attribute (refer to Section 3.1.3), identified as 241.7.4. 786 3.2.5. IP-Port-Int-IPv6-Addr TLV 788 The format of IP-Port-Int-IPv6-Addr TLV is shown in Figure 8. This 789 attribute carries IPFIX Information Element 27, "sourceIPv6Address", 790 which is the IPv6 source address before NAT operation (refer to 791 [IPFIX]). 793 0 1 2 3 794 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 795 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 796 | TLV-Type | Length | sourceIPv6Address 797 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 798 sourceIPv6Address 799 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 800 sourceIPv6Address 801 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 802 sourceIPv6Address 803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 804 sourceIPv6Address | 805 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 807 Figure 8 809 TLV-Type 811 5 813 Length 815 18 817 sourceIPv6Address 819 IPv6 address (128 bits). This field contains the data 820 (ipv6Address) of sourceIPv6Address (27) defined in IPFIX. 822 If the internal realm is with IPv6 address family, the IP-Port-Int- 823 IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map 824 Attribute (refer to Section 3.1.3), identified as 241.7.5. 826 3.2.6. IP-Port-Int-Port TLV 828 The format of IP-Port-Int-Port TLV is shown in Figure 9. This 829 attribute carries IPFIX Information Element 7, "sourceTransportPort", 830 which is the source transport number associated with an internal IPv4 831 or IPv6 address (refer to [IPFIX]). 833 0 1 2 3 834 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 835 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 836 | TLV-Type | Length | sourceTransportPort 837 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 838 sourceTransportPort | 839 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 841 Figure 9 843 TLV-Type 845 6 847 Length 849 6 851 sourceTransportPort 853 Integer. This field contains the data (unsigned16) of 854 sourceTrasnportPort (7) defined in IPFIX, right justified, and 855 unused bits MUST be set to zero. 857 IP-Port-Int-Port TLV MUST be included as part of the IP-Port- 858 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 859 241.7.6. 861 3.2.7. IP-Port-Ext-Port TLV 863 The format of IP-Port-Ext-Port TLV is shown in Figure 10. This 864 attribute carries IPFIX Information Element 227, 865 "postNAPTSourceTransportPort", which is the transport number 866 associated with an external IPv4 address(refer to [IPFIX]). 868 0 1 2 3 869 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 870 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 871 | TLV-Type | Length | postNAPTSourceTransportPort 872 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 873 postNAPTSourceTransportPort | 874 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 876 Figure 10 878 TLV-Type 879 7 881 Length 883 6 885 postNAPTSourceTransportPort 887 Integer. This field contains the data (unsigned16) of 888 postNAPTSourceTrasnportPort (227) defined in IPFIX, right 889 justified, and unused bits MUST be set to zero. 891 IP-Port-Ext-Port TLV MUST be included as part of the IP-Port- 892 Forwarding-Map Attribute (refer to Section 3.1.3), identified as 893 241.7.7. 895 3.2.8. IP-Port-Alloc TLV 897 The format of IP-Port-Alloc TLV is shown in Figure 11. This 898 attribute carries IPFIX Information Element 230, "natEvent", which is 899 a flag to indicate an action of NAT operation (refer to [IPFIX]). 901 When the value of natEvent is "1" (Create event), it means to 902 allocate a range of transport ports; when the value is "2", it means 903 to deallocate a range of transports ports. For the purpose of this 904 TLV, no other value is used. 906 0 1 2 3 907 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 908 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 909 | TLV-Type | Length | natEvent 910 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 911 natEvent | 912 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 914 Figure 11 916 TLV-Type 918 8 920 Length 922 6 924 natEvent 925 Integer. This field contains the data (unsigned8) of natEvent 926 (230) defined in IPFIX, right justified, and unused bits MUST be 927 set to zero. It indicates the allocation or deallocation of a 928 range of IP ports as follows: 930 1: 932 Allocation 934 2: 936 Deallocation 938 Reserved: 940 0. 942 IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range 943 Attribute (refer to Section 3.1.2), identified as 241.6.8. 945 3.2.9. IP-Port-Range-Start TLV 947 The format of IP-Port-Range-Start TLV is shown in Figure 12. This 948 attribute carries IPFIX Information Element 361, "portRangeStart", 949 which is the smallest port number of a range of contiguous transport 950 ports (refer to [IPFIX]). 952 0 1 2 3 953 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 955 | TLV-Type | Length | portRangeStart 956 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 957 portRangeStart | 958 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 960 Figure 12 962 TLV-Type 964 9 966 Length 968 6 970 portRangeStart 971 Integer. This field contains the data (unsigned16) of (361) 972 defined in IPFIX, right justified, and unused bits MUST be set to 973 zero. 975 IP-Port-Range-Start TLV is included as part of the IP-Port-Range 976 Attribute (refer to Section 3.1.2), identified as 241.6.9. 978 3.2.10. IP-Port-Range-End TLV 980 The format of IP-Port-Range-End TLV is shown in Figure 13. This 981 attribute carries IPFIX Information Element 362, "portRangeEnd", 982 which is the largest port number of a range of contiguous transport 983 ports (refer to [IPFIX]). 985 0 1 2 3 986 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 987 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 988 | TLV-Type | Length | portRangeEnd 989 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 990 portRangeEnd | 991 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 993 Figure 13 995 TLV-Type 997 10 999 Length 1001 6 1003 portRangeEnd 1005 Integer. This field contains the data (unsigned16) of (362) 1006 defined in IPFIX, right justified, and unused bits MUST be set to 1007 zero. 1009 IP-Port-Range-End TLV is included as part of the IP-Port-Range 1010 Attribute (refer to Section 3.1.2), identified as 241.6.10. 1012 3.2.11. IP-Port-Local-Id TLV 1014 The format of IP-Port-Local-Id TLV is shown in Figure 14. This 1015 attribute carries a string called "localID", which is a local 1016 significant identifier as explained below. 1018 The primary issue addressed by this TLV is that there are CGN 1019 deployments that do not distinguish internal hosts by their internal 1020 IP address alone, but use further identifiers for unique subscriber 1021 identification. For example, this is the case if a CGN supports 1022 overlapping private or shared IP address spaces (refer to [RFC1918] 1023 and [RFC6598]) for internal hosts of different subscribers. In such 1024 cases, different internal hosts are identified and mapped at the CGN 1025 by their IP address and/or another identifier, for example, the 1026 identifier of a tunnel between the CGN and the subscriber. In these 1027 scenarios (and similar ones), the internal IP address is not 1028 sufficient to demultiplex connections from internal hosts. An 1029 additional identifier needs to be present in the IP-Port-Range 1030 Attribute and IP-Port-Forwarding-Mapping Attribute in order to 1031 uniquely identify an internal host. The IP-Port-Local-Id TLV is used 1032 to carry this identifier. 1034 0 1 2 3 1035 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1036 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1037 | TLV-Type | Length | localID .... 1038 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1040 Figure 14 1042 TLV-Type 1044 11 1046 Length 1048 Variable number of bytes. 1050 localID 1052 string. The data type of this field is string (refer to 1053 [I-D.ietf-radext-datatypes]). This field contains the data that 1054 is a local session identifier at the customer premise, such as MAC 1055 address, interface ID, VLAN ID, PPP sessions ID, VRF ID, IP 1056 address/prefix, or another local session identifier. 1058 IP-Port-Local-Id TLV MAY be included in the following Attributes if 1059 it is necessary to identify the subscriber: 1061 o IP-Port-Range Attribute, identified as 241.6.11 (see 1062 Section 3.1.2). 1064 o IP-Port-Forwarding-Mapping Attribute, identified as 241.7.11 (see 1065 Section 3.1.3). 1067 4. Applications, Use Cases and Examples 1069 This section describes some applications and use cases to illustrate 1070 the use of the attributes proposed in this document. 1072 4.1. Managing CGN Port Behavior using RADIUS 1074 In a broadband network, customer information is usually stored on a 1075 RADIUS server, and the BNG acts as a NAS. The communication between 1076 the NAS and the RADIUS server is triggered by a user when it signs in 1077 to the Internet service, where either PPP or DHCP/DHCPv6 is used. 1078 When a user signs in, the NAS sends a RADIUS Access-Request message 1079 to the RADIUS server. The RADIUS server validates the request, and 1080 if the validation succeeds, it in turn sends back a RADIUS Access- 1081 Accept message. The Access-Accept message carries configuration 1082 information specific to that user, back to the NAS, where some of the 1083 information would pass on to the requesting user via PPP or DHCP/ 1084 DHCPv6. 1086 A CGN function in a broadband network is most likely be co-located on 1087 a BNG. In that case, parameters for CGN port mapping behavior for 1088 users can be configured on the RADIUS server. When a user signs in 1089 to the Internet service, the associated parameters can be conveyed to 1090 the NAS, and proper configuration is accomplished on the CGN device 1091 for that user. 1093 Also, CGN operation status such as CGN port allocation and 1094 deallocation for a specific user on the BNG can also be transmitted 1095 back to the RADIUS server for accounting purpose using the RADIUS 1096 protocol. 1098 RADIUS protocol has already been widely deployed in broadband 1099 networks to manage BNG, thus the functionality described in this 1100 specification introduces little overhead to the existing network 1101 operation. 1103 In the following sub-sections, we describe how to manage CGN behavior 1104 using RADIUS protocol, with required RADIUS extensions proposed in 1105 Section 3. 1107 4.1.1. Configure IP Port Limit for a User 1109 In the face of IPv4 address shortage, there are currently proposals 1110 to multiplex multiple users' connections over a number of shared IPv4 1111 addresses, such as Carrier Grade NAT [RFC6888], Dual-Stack Lite 1113 [RFC6333], NAT64 [RFC6146], etc. As a result, a single IPv4 public 1114 address may be shared by hundreds or even thousands of users. As 1115 indicated in [RFC6269], it is therefore necessary to impose limits on 1116 the total number of ports available to an individual user to ensure 1117 that the shared resource, i.e., the IPv4 address, remains available 1118 in some capacity to all the users using it. The support of IP port 1119 limit is also documented in [RFC6888] as a requirement for CGN. 1121 The IP port limit imposed to an end user may be on the total number 1122 of IP source transport ports, or a specific IP transport protocol as 1123 defined in Section 3.1.1. 1125 The per-user based IP port limit is configured on a RADIUS server, 1126 along with other user information such as credentials. 1128 When a user signs in to the Internet service successfully, the IP 1129 port limit for the subscriber is passed by the RADIUS server to the 1130 BNG, acting as a NAS and co-located with the CGN, using the IP-Port- 1131 Limit-Info RADIUS attribute (defined in Section 3.1.1), along with 1132 other configuration parameters. While some parameters are passed to 1133 the user, the IP port limit is recorded on the CGN device for 1134 imposing the usage of IP transport ports for that user. 1136 Figure 15 illustrates how RADIUS protocol is used to configure the 1137 maximum number of TCP/UDP ports for a given user on a CGN device. 1139 User CGN/NAS AAA 1140 | BNG Server 1141 | | | 1142 | | | 1143 |----Service Request------>| | 1144 | | | 1145 | |-----Access-Request -------->| 1146 | | | 1147 | |<----Access-Accept-----------| 1148 | | (IP-Port-Limit-Info) | 1149 | | (for TCP/UDP ports) | 1150 |<---Service Granted ------| | 1151 | (other parameters) | | 1152 | | | 1153 | (CGN external port | 1154 | allocation and | 1155 | IPv4 address assignment) | 1156 | | | 1158 Figure 15: RADIUS Message Flow for Configuring CGN Port Limit 1160 The IP port limit created on a CGN device for a specific user using 1161 RADIUS extension may be changed using RADIUS CoA message [RFC5176] 1162 that carries the same RADIUS attribute. The CoA message may be sent 1163 from the RADIUS server directly to the NAS, which once accepts and 1164 sends back a RADIUS CoA ACK message, the new IP port limit replaces 1165 the previous one. 1167 Figure 16 illustrates how RADIUS protocol is used to increase the 1168 TCP/UDP port limit from 1024 to 2048 on a CGN device for a specific 1169 user. 1171 User CGN/NAS AAA 1172 | BNG Server 1173 | | | 1174 | TCP/UDP Port Limit (1024) | 1175 | | | 1176 | |<---------CoA Request----------| 1177 | | (IP-Port-Limit-Info) | 1178 | | (for TCP/UDP ports) | 1179 | | | 1180 | TCP/UDP Port Limit (2048) | 1181 | | | 1182 | |---------CoA Response--------->| 1183 | | | 1185 Figure 16: RADIUS Message Flow for changing a user's CGN port limit 1187 4.1.2. Report IP Port Allocation/Deallocation 1189 Upon obtaining the IP port limit for a user, the CGN device needs to 1190 allocate an IP transport port for the user when receiving a new IP 1191 flow sent from that user. 1193 As one practice, a CGN may allocate a block of IP ports for a 1194 specific user, instead of one port at a time, and within each port 1195 block, the ports may be randomly distributed or in consecutive 1196 fashion. When a CGN device allocates a block of transport ports, the 1197 information can be easily conveyed to the RADIUS server by a new 1198 RADIUS attribute called the IP-Port-Range (defined in Section 3.1.2). 1199 The CGN device may allocate one or more IP port ranges, where each 1200 range contains a set of numbers representing IP transport ports, and 1201 the total number of ports MUST be less or equal to the associated IP 1202 port limit imposed for that user. A CGN device may choose to 1203 allocate a small port range, and allocate more at a later time as 1204 needed; such practice is good because its randomization in nature. 1206 At the same time, the CGN device also needs to decide the shared IPv4 1207 address for that user. The shared IPv4 address and the pre-allocated 1208 IP port range are both passed to the RADIUS server. 1210 When a user initiates an IP flow, the CGN device randomly selects a 1211 transport port number from the associated and pre-allocated IP port 1212 range for that user to replace the original source port number, along 1213 with the replacement of the source IP address by the shared IPv4 1214 address. 1216 A CGN device may decide to "free" a previously assigned set of IP 1217 ports that have been allocated for a specific user but not currently 1218 in use, and with that, the CGN device must send the information of 1219 the deallocated IP port range along with the shared IPv4 address to 1220 the RADIUS server. 1222 Figure 17 illustrates how RADIUS protocol is used to report a set of 1223 ports allocated and deallocated, respectively, by a NAT64 device for 1224 a specific user to the RADIUS server. 2001:db8:100:200::/56 is the 1225 IPv6 prefix allocated to this user. In order to limit the usage of 1226 the NAT64 resources on a per-user basis for fairness of resource 1227 usage (see REQ-4 of [RFC6888]), port range allocations are bound to 1228 the /56 prefix, not to the source IPv6 address of the request. The 1229 NAT64 devices is configured with the per-user port limit policy by 1230 some means (e.g., subscriber-mask [RFC7785]). 1232 Host NAT64/NAS AAA 1233 | BNG Server 1234 | | | 1235 | | | 1236 |----Service Request------>| | 1237 | | | 1238 | |-----Access-Request -------->| 1239 | | | 1240 | |<----Access-Accept-----------| 1241 |<---Service Granted ------| | 1242 | (other parameters) | | 1243 ... ... ... 1244 | | | 1245 | | | 1246 | (NAT64 decides to allocate | 1247 | a TCP/UDP port range for the user) | 1248 | | | 1249 | |-----Accounting-Request----->| 1250 | | (IP-Port-Range | 1251 | | for allocation) | 1252 ... ... ... 1253 | | | 1254 | (NAT64 decides to deallocate | 1255 | a TCP/UDP port range for the user) | 1256 | | | 1257 | |-----Accounting-Request----->| 1258 | | (IP-Port-Range | 1259 | | for deallocation) | 1260 | | | 1262 Figure 17: RADIUS Message Flow for reporting NAT64 allocation/ 1263 deallocation of a port set 1265 4.1.3. Configure Forwarding Port Mapping 1267 In most scenarios, the port mapping on a NAT device is dynamically 1268 created when the IP packets of an IP connection initiated by a user 1269 arrives. For some applications, the port mapping needs to be pre- 1270 defined allowing IP packets of applications from outside a CGN device 1271 to pass through and "port forwarded" to the correct user located 1272 behind the CGN device. 1274 Port Control Protocol [RFC6887], provides a mechanism to create a 1275 mapping from an external IP address and port to an internal IP 1276 address and port on a CGN device just to achieve the "port 1277 forwarding" purpose. PCP is a server-client protocol capable of 1278 creating or deleting a mapping along with a rich set of features on a 1279 CGN device in dynamic fashion. In some deployment, all users need is 1280 a few, typically just one pre-configured port mapping for 1281 applications such as web cam at home, and the lifetime of such a port 1282 mapping remains valid throughout the duration of the customer's 1283 Internet service connection time. In such an environment, it is 1284 possible to statically configure a port mapping on the RADIUS server 1285 for a user and let the RADIUS protocol to propagate the information 1286 to the associated CGN device. 1288 Note that this document targets deployments where a AAA server is 1289 responsible de instructing NAT mappings for a given subscriber and 1290 does not make any assumption about the host's capabilities with 1291 regards to port forwarding control. This deployment is complementary 1292 to PCP given that PCP targets a different deployment model where an 1293 application (on the host) controls its mappings in an upstream CPE, 1294 CGN, firewall, etc. 1296 Figure 18 illustrates how RADIUS protocol is used to configure a 1297 forwarding port mapping on a NAT44 device by using RADIUS protocol. 1299 Host CGN/NAS AAA 1300 | BNG Server 1301 | | | 1302 |----Service Request------>| | 1303 | | | 1304 | |---------Access-Request------->| 1305 | | | 1306 | |<--------Access-Accept---------| 1307 | | (IP-Port-Forwarding-Map) | 1308 |<---Service Granted ------| | 1309 | (other parameters) | | 1310 | | | 1311 | (Create a port mapping | 1312 | for the user, and | 1313 | associate it with the | 1314 | internal IP address | 1315 | and external IP address) | 1316 | | | 1317 | | | 1318 | |------Accounting-Request------>| 1319 | | (IP-Port-Forwarding-Map) | 1321 Figure 18: RADIUS Message Flow for configuring a forwarding port 1322 mapping 1324 A port forwarding mapping that is created on a CGN device using 1325 RADIUS extension as described above may also be changed using RADIUS 1326 CoA message [RFC5176] that carries the same RADIUS association. The 1327 CoA message may be sent from the RADIUS server directly to the NAS, 1328 which once accepts and sends back a RADIUS CoA ACK message, the new 1329 port forwarding mapping then replaces the previous one. 1331 Figure 19 illustrates how RADIUS protocol is used to change an 1332 existing port mapping from (a:X) to (a:Y), where "a" is an internal 1333 port, and "X" and "Y" are external ports, respectively, for a 1334 specific user with a specific IP address 1336 Host CGN/NAS AAA 1337 | BNG Server 1338 | | | 1339 | Internal IP Address | 1340 | Port Map (a:X) | 1341 | | | 1342 | |<---------CoA Request----------| 1343 | | (IP-Port-Forwarding-Map) | 1344 | | | 1345 | Internal IP Address | 1346 | Port Map (a:Y) | 1347 | | | 1348 | |---------CoA Response--------->| 1349 | | (IP-Port-Forwarding-Map) | 1351 Figure 19: RADIUS Message Flow for changing a user's forwarding port 1352 mapping 1354 4.1.4. An Example 1356 An Internet Service Provider (ISP) assigns TCP/UDP 500 ports for the 1357 user Joe. This number is the limit that can be used for TCP/UDP ports 1358 on a CGN device for Joe, and is configured on a RADIUS server. Also, 1359 Joe asks for a pre-defined port forwarding mapping on the CGN device 1360 for his web cam applications (external port 5000 maps to internal 1361 port 1234). 1363 When Joe successfully connects to the Internet service, the RADIUS 1364 server conveys the TCP/UDP port limit (500) and the forwarding port 1365 mapping (external port 5000 to internal port 1234) to the CGN device, 1366 using IP-Port-Limit-Info Attribute and IP-Port-Forwarding-Map 1367 attribute, respectively, carried by an Access-Accept message to the 1368 BNG where NAS and CGN co-located. 1370 Upon receiving the first outbound IP packet sent from Joe's laptop, 1371 the CGN device decides to allocate a small port pool that contains 40 1372 consecutive ports, from 3500 to 3540, inclusively, and also assign a 1373 shared IPv4 address 192.0.2.15, for Joe. The CGN device also randomly 1374 selects one port from the allocated range (say 3519) and use that 1375 port to replace the original source port in outbound IP packets. 1377 For accounting purpose, the CGN device passes this port range 1378 (3500-3540) and the shared IPv4 address 192.0.2.15 together to the 1379 RADIUS server using IP-Port-Range attribute carried by an Accounting- 1380 Request message. 1382 When Joe works on more applications with more outbound IP mappings 1383 and the port pool (3500-3540) is close to exhaust, the CGN device 1384 allocates a second port pool (8500-8800) in a similar fashion, and 1385 also passes the new port range (8500-8800) and IPv4 address 1386 192.0.2.15 together to the RADIUS server using IP-Port-Range 1387 attribute carried by an Accounting-Request message. Note when the 1388 CGN allocates more ports, it needs to assure that the total number of 1389 ports allocated for Joe is within the limit. 1391 Joe decides to upgrade his service agreement with more TCP/UDP ports 1392 allowed (up to 1000 ports). The ISP updates the information in Joe's 1393 profile on the RADIUS server, which then sends a CoA-Request message 1394 that carries the IP-Port-Limit-Info Attribute with 1000 ports to the 1395 CGN device; the CGN device in turn sends back a CoA-ACK message. 1396 With that, Joe enjoys more available TCP/UDP ports for his 1397 applications. 1399 When Joe is not using his service, most of the IP mappings are closed 1400 with their associated TCP/UDP ports released on the CGN device, which 1401 then sends the relevant information back to the RADIUS server using 1402 IP-Port-Range attribute carried by Accounting-Request message. 1404 Throughout Joe's connection with his ISP Internet service, 1405 applications can communicate with his web cam at home from external 1406 realm directly traversing the pre-configured mapping on the CGN 1407 device. 1409 When Joe disconnects from his Internet service, the CGN device will 1410 deallocate all TCP/UDP ports as well as the port-forwarding mapping, 1411 and send the relevant information to the RADIUS server. 1413 4.2. Report Assigned Port Set for a Visiting UE 1415 Figure 20 illustrates an example of the flow exchange which occurs 1416 when a visiting User Equipment (UE) connects to a CPE offering WLAN 1417 service. 1419 For identification purposes (see [RFC6967]), once the CPE assigns a 1420 port set, it issues a RADIUS message to report the assigned port set. 1422 UE CPE CGN AAA 1423 | BNG Server 1424 | | | 1425 | | | 1426 |----Service Request------>| | 1427 | | | 1428 | |-----Access-Request -------->| 1429 | | | 1430 | |<----Access-Accept-----------| 1431 |<---Service Granted ------| | 1432 | (other parameters) | | 1433 ... | ... ... 1434 |<---IP@----| | | 1435 | | | | 1436 | (CPE assigns a TCP/UDP port | 1437 | range for this visiting UE) | 1438 | | | 1439 | |--Accounting-Request-...------------------->| 1440 | | (IP-Port-Range | 1441 | | for allocation) | 1442 ... | ... ... 1443 | | | | 1444 | | | | 1445 | (CPE withdraws a TCP/UDP port | 1446 | range for a visiting UE) | 1447 | | | 1448 | |--Accounting-Request-...------------------->| 1449 | | (IP-Port-Range | 1450 | | for deallocation) | 1451 | | | 1453 Figure 20: RADIUS Message Flow for reporting CPE allocation/ 1454 deallocation of a port set to a visiting UE 1456 5. Table of Attributes 1458 This document proposes three new RADIUS attributes and their formats 1459 are as follows: 1461 o IP-Port-Limit-Info: 241.5. 1463 o IP-Port-Range: 241.6. 1465 o IP-Port-Forwarding-Map: 241.7. 1467 The following table provides a guide as what type of RADIUS packets 1468 that may contain these attributes, and in what quantity. 1470 Request Accept Reject Challenge Acct. # Attribute 1471 Request 1472 0+ 0+ 0 0 0+ 241.5 IP-Port-Limit-Info 1473 0 0 0 0 0+ 241.6 IP-Port-Range 1474 0+ 0+ 0 0 0+ 241.7 IP-Port-Forwarding-Map 1476 The following table defines the meaning of the above table entries. 1478 0 This attribute MUST NOT be present in packet. 1479 0+ Zero or more instances of this attribute MAY be present in packet. 1481 6. Security Considerations 1483 This document does not introduce any security issue other than the 1484 ones already identified in RADIUS [RFC2865] and [RFC5176] for CoA 1485 messages. Known RADIUS vulnerabilities apply to this specification. 1486 For example, if RADIUS packets are sent in the clear, an attacker in 1487 the communication path between the RADIUS client and server may glean 1488 information that it will use to prevent a legitimate user to access 1489 the service by appropriately setting the maximum number of IP ports 1490 conveyed in an IP-Port-Limit-Info Attribute, exhaust the port quota 1491 of a user by installing many mapping entries (IP-Port-Forwarding-Map 1492 Attribute), prevent incoming traffic to be delivered to its 1493 legitimate destination by manipulating the mapping entries installed 1494 by means of an IP-Port-Forwarding-Map Attribute, discover the IP 1495 address and port range assigned to a given user and which is reported 1496 in an IP-Port-Range Attribute, etc. The root cause of these attack 1497 vectors is the communication between the RADIUS client and server. 1499 The IP-Port-Local-Id TLV includes an identifier of which the type and 1500 length is deployment and implementation dependent. This identifier 1501 might carry privacy sensitive information. It is therefore 1502 RECOMMENDED to utilize identifiers that do not have such privacy 1503 concerns. 1505 If there is any error in a Radius Accounting-Request packet sent from 1506 a RADIUS client to the server, the RADIUS server MUST NOT send 1507 response to the client (refer to [RFC2866]). Examples of the errors 1508 include the erroneous port range in IP-Port-Range Attribute, 1509 inconsistent port mapping in IP-Port-Forwarding-Map Attribute, etc. 1511 This document targets deployments where a trusted relationship is in 1512 place between the RADIUS client and server with communication 1513 optionally secured by IPsec or Transport Layer Security (TLS) 1514 [RFC6614]. 1516 7. IANA Considerations 1518 This document requires new code point assignments for both IPFIX 1519 Information Elements and RADIUS attributes as explained in the 1520 following sub-sections. 1522 7.1. IANA Considerations on New IPFIX Information Elements 1524 The following is a new IPFIX Information Element as requested by this 1525 document (refer to Section 3.2.2) : 1527 o sourceTransportPortsLimit: 1529 * Name: sourceTransportPortsLimit. 1531 * Element ID: 458. 1533 * Description: This Information Element contains the maximum 1534 number of IP source transport ports that can be used by an end 1535 user when sending IP packets; each user is associated with one 1536 or more (source) IPv4 or IPv6 addresses. This IE is 1537 particularly useful in address sharing deployments that adhere 1538 to REQ-4 of [RFC6888]. Limiting the number of ports assigned 1539 to each user ensures fairness among users and mitigates the 1540 denial-of-service attack that a user could launch against other 1541 users through the address sharing device in order to grab more 1542 ports. 1544 * Data type: unsigned16. 1546 * Data type semantics: totalCounter. 1548 * Data type unit: ports. 1550 * Data value range: from 1 to 65535. 1552 7.2. IANA Considerations on New RADIUS Attributes 1554 The authors request that Attribute Types and Attribute Values defined 1555 in this document be registered by the Internet Assigned Numbers 1556 Authority (IANA) from the RADIUS namespaces as described in the "IANA 1557 Considerations" section of [RFC3575], in accordance with BCP 26 1558 [RFC5226]. For RADIUS packets, attributes and registries created by 1559 this document IANA is requested to place them at 1560 http://www.iana.org/assignments/radius-types. 1562 In particular, this document defines three new RADIUS attributes, 1563 entitled "IP-Port-Limit-Info" (see Section 3.1.1), "IP-Port-Range" 1564 (see Section 3.1.2) and "IP-Port-Forwarding-Map" (see Section 3.1.3), 1565 with assigned values of 241.5, 241.6 and 241.7 from the Short 1566 Extended Space of [RFC6929]: 1568 Type Name Meaning 1569 ---- ---- ------- 1570 241.5 IP-Port-Limit-Info see Section 3.1.1 1571 241.6 IP-Port-Range see Section 3.1.2 1572 241.7 IP-Port-Forwarding-Map see Section 3.1.3 1574 7.3. IANA Considerations on New RADIUS TLVs 1576 IANA has created a new registry called "RADIUS IP Port Configuraion 1577 and Reporting TLVs". All TLVs in this registry have one or more 1578 parent Radius attributes in nesting (refer to [RFC6929]. This 1579 registray contains the following TLVs: 1581 Value Name Definition 1582 ----- ----- ---------- 1583 0 Reserved 1584 1 IP-Port-Type see Section 3.2.1 1585 2 IP-Port-Limit see Section 3.2.2 1586 3 IP-Port-Ext-IPv4-Addr see Section 3.2.3 1587 4 IP-Port-Int-IPv4-Addr see Section 3.2.4 1588 5 IP-Port-Int-IPv6-Addr see Section 3.2.5 1589 6 IP-Port-Int-Port see Section 3.2.6 1590 7 IP-Port-Ext-Port see Section 3.2.7 1591 8 IP-Port-Alloc see Section 3.2.8 1592 9 IP-Port-Range-Start see Section 3.2.9 1593 10 IP-Port-Range-End see Section 3.2.10 1594 11 IP-Port-Local-Id see Section 3.2.11 1595 12-255 Unsigned 1597 The registration procedure for this registry is Standards Action as 1598 defined in [RFC5226]. 1600 8. Acknowledgements 1602 Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David 1603 Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful 1604 comments and suggestions. 1606 Special thanks to Lionel Morand for the Shepherd review and to 1607 Kathleen Moriarty for the AD review. 1609 Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed 1610 review. 1612 9. References 1614 9.1. Normative References 1616 [I-D.ietf-radext-datatypes] 1617 DeKok, A., "Data Types in the Remote Authentication Dial- 1618 In User Service Protocol (RADIUS)", draft-ietf-radext- 1619 datatypes-08 (work in progress), October 2016. 1621 [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", 1622 . 1624 [ProtocolNumbers] 1625 IANA, "Protocol Numbers", 1626 . 1629 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1630 Requirement Levels", BCP 14, RFC 2119, 1631 DOI 10.17487/RFC2119, March 1997, 1632 . 1634 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1635 "Remote Authentication Dial In User Service (RADIUS)", 1636 RFC 2865, DOI 10.17487/RFC2865, June 2000, 1637 . 1639 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote 1640 Authentication Dial In User Service)", RFC 3575, 1641 DOI 10.17487/RFC3575, July 2003, 1642 . 1644 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1645 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1646 DOI 10.17487/RFC5226, May 2008, 1647 . 1649 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 1650 Service (RADIUS) Protocol Extensions", RFC 6929, 1651 DOI 10.17487/RFC6929, April 2013, 1652 . 1654 [RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model 1655 for IP Flow Information Export (IPFIX)", RFC 7012, 1656 DOI 10.17487/RFC7012, September 2013, 1657 . 1659 9.2. Informative References 1661 [I-D.gundavelli-v6ops-community-wifi-svcs] 1662 Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, 1663 "Service Provider Wi-Fi Services Over Residential 1664 Architectures", draft-gundavelli-v6ops-community-wifi- 1665 svcs-06 (work in progress), April 2013. 1667 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1668 DOI 10.17487/RFC0768, August 1980, 1669 . 1671 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1672 RFC 793, DOI 10.17487/RFC0793, September 1981, 1673 . 1675 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 1676 and E. Lear, "Address Allocation for Private Internets", 1677 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 1678 . 1680 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, 1681 DOI 10.17487/RFC2866, June 2000, 1682 . 1684 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1685 Address Translator (Traditional NAT)", RFC 3022, 1686 DOI 10.17487/RFC3022, January 2001, 1687 . 1689 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1690 Congestion Control Protocol (DCCP)", RFC 4340, 1691 DOI 10.17487/RFC4340, March 2006, 1692 . 1694 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1695 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1696 . 1698 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1699 Aboba, "Dynamic Authorization Extensions to Remote 1700 Authentication Dial In User Service (RADIUS)", RFC 5176, 1701 DOI 10.17487/RFC5176, January 2008, 1702 . 1704 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1705 NAT64: Network Address and Protocol Translation from IPv6 1706 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1707 April 2011, . 1709 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 1710 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 1711 . 1713 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 1714 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 1715 DOI 10.17487/RFC6269, June 2011, 1716 . 1718 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1719 Stack Lite Broadband Deployments Following IPv4 1720 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 1721 . 1723 [RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and 1724 M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address 1725 Space", BCP 153, RFC 6598, DOI 10.17487/RFC6598, April 1726 2012, . 1728 [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, 1729 "Transport Layer Security (TLS) Encryption for RADIUS", 1730 RFC 6614, DOI 10.17487/RFC6614, May 2012, 1731 . 1733 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 1734 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 1735 DOI 10.17487/RFC6887, April 2013, 1736 . 1738 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1739 A., and H. Ashida, "Common Requirements for Carrier-Grade 1740 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1741 April 2013, . 1743 [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, 1744 "Analysis of Potential Solutions for Revealing a Host 1745 Identifier (HOST_ID) in Shared Address Deployments", 1746 RFC 6967, DOI 10.17487/RFC6967, June 2013, 1747 . 1749 [RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for 1750 Prefix Binding in the Context of Softwire Dual-Stack 1751 Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016, 1752 . 1754 [TR-146] Broadband Forum, "TR-146: Subscriber Sessions", 1755 . 1758 Authors' Addresses 1760 Dean Cheng 1761 Huawei 1762 2330 Central Expressway 1763 Santa Clara, California 95050 1764 USA 1766 Email: dean.cheng@huawei.com 1768 Jouni Korhonen 1769 Broadcom Corporation 1770 3151 Zanker Road 1771 San Jose 95134 1772 USA 1774 Email: jouni.nospam@gmail.com 1776 Mohamed Boucadair 1777 Orange 1778 Rennes 1779 France 1781 Email: mohamed.boucadair@orange.com 1783 Senthil Sivakumar 1784 Cisco Systems 1785 7100-8 Kit Creek Road 1786 Research Triangle Park, North Carolina 1787 USA 1789 Email: ssenthil@cisco.com