Analysis of NAT64 Port Allocation Methods for Shared IPv4 Addresses

As a result of the depletion of public IPv4 addresses, Carrier Grade NAT (CGN) has been adopted by ISPs to share the available IPv4 resources. Overall, a CGN function maps IP addresses from one address realm to another, relying upon a mechanism of multiplexing multiple subscribers' connections over a number of shared IPv4 addresses to provide connectivity services to end hosts. A network-based NAT is implied by several approaches to IPv4 service continuity over an IPv6 network including DS-Lite , NAT64 ( and ), etc. ) focusses on the topic of IPv6 migration. When NAPT is involved, elaborates on the considerations for address sharing and particularly port assignment in the NAT64 environment. looks more closely at dynamic bulk assignment of ports to individual subscriber sites, particularly as a means to reduce the volume of log files. The proposals made in this section are applicable to the CGN environment in general, independently of the particular flavor of translation being used.

For port allocations on NAT64, several aspects may have to be considered when selecting a suitable method. Here is a list of the potential considerations, which are covered in more detail below. specific features of port usage in a NAT64 environment; classification of different port allocation methods; port allocation to improve connectivity; port allocation to optimize log volume; port allocation to enhance security. Both analysis and relevant experimental results are presented in the sub-sections that follow.

China Mobile did a test comparison of port consumption on NAT64 and NAT44. Top100 websites (referring to Alexa statistics) were assessed to evaluate status of port usage on NAT44 and NAT64 respectively. China Mobile observed that the port consumption per session on NAT64 is roughly only half that on NAT44. 43 percent of top100 websites have AAAA records, therefore the NAT64 didn't have to assign ports to the traffic going to those websites. The results may be different if more services (e.g. game, web-mail, etc) are considered. But it is apparent that the effects of port saving on NAT64 will be amplified by increasing native IPv6 support. Apart from the above observation, port allocation can be tuned according to the phase of IPv6 migration. As more content providers and services become available over IPv6, the utilization of NAT64 goes down since fewer destinations require translation progressing. Thus as IPv6 migration proceeds, it will be possible to relax the multiplexing ratio of IPv4 address sharing (see Appendix B of [RFC6269]).

This section lists several models to allocate the port information in NAT64. It also describes example cases for each allocation model.

Stateful The stateful NAT can be implemented either by static address translation or dynamic address translation. In the case of static address assignment, a one-to-one address mapping for hosts between a IPv6 network address and an IPv4 network address is pre-configured on the NAT operation. This case normally occurs when a server is deployed in an IPv6 domain. The static configuration ensures stable inbound connectivity. Dynamic address assignment would periodically free the binding so that the global address could be recycled for later use. This increases the efficiency of usage of IPv4 resources. Stateless Stateless NAT is performed in compliance with . The public IPv4 address is required to be embedded in the IPv6 address. Thus the NAT64 can directly extract the address and has no need to record mapping states. A promising usage of stateless NAT may appear in the data centre environment where IPv6 server pools receive inbound connections from IPv4 users externally . NAT usage in other cases may be controversial. First off, the static one-to-one mapping does not address the issue of IPv4 depletion. Secondly, it introduces a dependency between IPv4 and IPv6 addressing. That creates other limitations since a change of IPv4 address will cause renumbering of IPv6 addresses.

Port assignments can be dynamic (ports allocated on demand) or static (ports allocated as part of the configuration process). Dynamic assignment NAT64 uses dynamic assignment, since this achieves higher port utilization. Port allocations can be made with per-session or per-customer granularity. Per-session assignment is configured on the NAT64 by default since it maximizes port utilization. However, if only individual port numbers are assigned, this can result in a heavy log volume that may have to be recorded for legal data retention systems. To mitigate that concern, the NAT64 may dynamically allocate a port range for each connected subscriber or upon receipt of a first outgoing packet from an IPv6 host. This will significantly reduce log volume. A proper port-range configuration may have to take into account two considerations: The number of session initiations for each subscriber. A subscriber normally uses multiple applications simultaneously, e.g. maps applications, online video or game. The number of concurrent sessions is essential to determine the number of ports the subscriber needs. The China Mobile study mentioned earlier observed that the average number of sessions consumed by one user's device was around 200 to 300 ports. Several devices may appear behind a CPE. Based on this observation, 1000 ports per subscriber household will provide enough room for multiple active users. Administrators should monitor usage to adjust this number if users are being limited by this number, or if usage is so low that fewer ports would be sufficient. Impacts on NAT64 capacity. Preassigned port ranges occupy memory even when there are unused ports. Therefore, the operator should be cautious about the impact of port-range reservation on the capacity for attempted concurrent sessions, especially in the case of a centralized NAT64 serving numerous subscribers. Static assignment Static assignment makes port reservations in bulk for each internal address before subscriber connection. The assigned ports can be in either a contiguous port range or a non-contiguous port range for the sake of defense against port-guessing attacks (see ). Log recording for each port assignment may not be necessary due to the stable mapping relations. Considerations of the interaction between port-range allocation and capacity impact are also applicable in the case of static assignment. describes a deterministic algorithm to assign a port range for an internal IP address pool in a sequence.

There is an increasing need to connect NAT64 with downstream NAT46-capable devices to support IPv4 users/applications on an IPv6-only path. Several solutions have been proposed in this area, e.g., 464xlat , MAP-T and 4rd . Port allocation can be categorized as a centralized assignment on NAT64 or as a port delegation distributed to downstream devices (e.g, Customer Edge connected with NAT64). Centralized Assignment A centralized method makes port assignments once IP flows come to the NAT64. The allocation policy is enforced on a centralized point. Either a dynamic or static port assignment is made for received sessions. Distributed Assignment NAT64 can also delegate the pre-allocated port range to customer edge devices. That can be achieved through additional out-of-band provisioning signals (e.g., , ). The distributed model normally is performed A+P style for static port assignment. The NAT64 should also hold the corresponding mapping in order to validate port usage in the outgoing direction and route inbound packets. Delegated port ranges shift NAT64 port computations/states into downstream devices. The detailed benefits of this approach are documented in .

describes a process where the dynamic binding is created by an outgoing packet, but it may also be created by other means such as a Port Control Protocol request (see ). Lookin beyond NAT64 for the moment, DS-Lite refers to the cautions in but does not specify any port allocation method. Both techniques DS-Lite and NAT64 assume a centralized model. The specifications for both transition methods thus allow implementations to use the proposals made in (and ).

The port allocation solutions that are being specified at the time of writing of this document are all variations on the static distributed model, to minimize the amount of state that has to be held in the network. The proposals made in do not apply to the current work in progress because that work has gone in another direction. That work includes: Light-weight 4over6 (LW4o6 ), which requires the CPE to be configured explicitly with the shared IPv4 address and port set it will use on the WAN side of its NAT44 function. The border router is configured with the same information, reducing the state it must hold from per-session to per-subscriber amounts. Mapping of Address and Port with Encapsulation (MAP-E ) and the experimental specifications Mapping of Address and Port with Translation (MAP-T ) and 4rd , already mentioned. These rely on an algorithmic embedding of WAN-side IPv4 address and assigned port set within the IPv6 prefix assigned to each CPE. Both the CPE and the border router must be configured with this information. However, the algorithm is designed to aggregate routing information such that the amount of state carried by the border router is of a lower order of magnitude than even the per-subscriber level. All A+P variants support a 1-1 mapping mode, where the IPv4 and IPv6 addresses assigned to a CPE are independent. This can be helpful in transition, but, as with LW4o6, raises the amount of state in the network back to the per-subscriber level. For a packet destined to a host outside the MAP domain from which the packet originated: MAP-E and 4rd treat the packet as an IPv4 over IPv6 tunnel via the border router. MAP-T uses stateless mapping in the sense of by embedding the destination IPv4 address within the IPv6 address of the packet sent to the border router.

The Port Control Protocol (PCP, ) can be used to reserve a single port or a port set for applications. It requires that the NAT be controlled by a PCP server function. PCP provides an out-of-band signalling mechanism for coordinating dynamic allocation of ports between hosts and the border router, removes the need for ALGs, allows for successful incoming connections, etc.

provides a thoughtful analysis on the issues of IP address sharing. It points out that IP address sharing may impact law enforcement since source address information will be lost during the translation. Network administrators have to log the mapping status for each connection in order to identify a specific user associated with an IP address in a particular time slot. The storage of log information may pose a challenge to operators, since it requires additional resources and data inspection processes to identify users. For concrete details of what should be logged, see Section 3.1 of . The actual logging may use either IPFIX or Syslog depending on the operator's requirements. It is desirable to reduce the volume of the logged information. Referring to the classification of port allocation methods given above, dynamic assignments can be managed on either a per-session or per-customer granularity. The coarser granularity will lead to lower log volume storage. A test was made by recording the log information from 200,000 subscribers in the Chinese network for 60 days. The volume of recorded information reached up to 42.5 terabytes with per-session logging in the raw format. The volume could be reduced to 10.6 terabytes with gzip format. Compared with that, it only occupied 40.6 gigabytes, three orders of magnitude smaller volume, with per-customer logging in the raw format. With static allocation, of course, no logs for port assignment are required, but a record of the configuration change is still required. On the other hand, the lower logging volumes are associated with lower efficiency of port utilization. A port allocation based on per-customer granularity has to retain vacant ports in order to avoid traffic overflow. The efficiency can be evaluated by port utilization rate, and will be even lower if the static port allocation method is used. Inactive users may also impact the efficiency. summarizes the test results using Syslog. The ports were pre-allocated to customers regardless of online or offline status. Port Allocation Method Log Granularity Estimated Log Volume Port Utilization Dynamic NAPT Per-session 42.5 terabytes 100% Dynamic port-range Per-customer 40.6 Gigabytes 75% Deterministic NAT, MAP-T, 4rd None None (60% * 75%) = 45% Note: 75% is the estimated port utilization ratio per active subscriber. 60% is the estimated ratio of active subscribers to the total number of subscribers. The data shown in roughly demonstrates the tradeoff between port utilization and log volume reduction. Administrators may consider the following factors to make their design choice that would meet their deployment requirements: average connectivity per customer per day; peak connectivity per day; the number of public IPv4 addresses available to the NAT64; application demands for specific ports; processing capabilities of the NAT64; tolerable log volume.

It has been observed that port consumption is significantly increased once subscribers land on a web page for video on demand, an online game, or map services. In those cases, multiple TCP connections may be initiated to optimize the performance of data transmissions for video download and message exchange. Given the video traffic growth trend, this likely presents a challenge for network operators who need to optimize connectivity states and avoid port depletion. Those optimizations may even affect the method of port-range allocation, because a subscriber is only allowed to use a pre-configured port resource. Two optimizations may be considered: Reducing the TIME-WAIT state. The user's behavior normally correlates with system performance. It is rather common that users change video channels often. Investigations have shown that 60% of videos are watched for less than 20% of their duration. The user's access patterns may leave a number of the TIME-WAIT states. Therefore, acceleration of TIME-WAIT state transitions could increase the efficiency of port utilization. defines a mechanism for reducing TIME-WAIT state by proposing TCP timestamps and sequence numbers. recommended applying and PAWS (Protect Against Wrapped Sequence numbers, described in ) to NAT. This may also be a way to improve port utilization. Another possibility is to use Address-Dependent Mapping or Address and Port-Dependent Mapping to increase port utilization. This feature has already been implemented on a vendor-specific basis. However, it should be noted that REQ-7 and REQ-12 in may reduce the incentive to use anything but the Address-Independent Mapping behaviour recommended by .

Port randomization is a feature to enhance the defense against hijacking of flows. specifies that: "A NAPT that does not implement port preservation (, ) should obfuscate selection of the ephemeral port of a packet when it is changed during translation of that packet." A NAPT based on per-session allocation normally follows this recommendation. See for a fuller discussion of port randomization.

During the IPv6 transition period, large-scale NAT devices may be introduced, e.g. DS-Lite AFTR, NAT64. When a NAT device needs to set up a new connection for a given internal address behind the NAT, it needs to create a new mapping entry for the new connection, which will contain source IP address, source port or ICMP identifier, converted source IP address, converted source port, protocol (TCP/UDP), etc. For various reasons it is necessary to log these mappings. Some high performance NAT devices may need to create a large amount of new sessions per second. As discussed in , if the logs are generated for each mapping entry, the log traffic could reach tens of megabytes per second or more, which would be a problem for log generation, transmission and storage. (The per-session volumes in amount to 42 bytes per served subscriber per second. The volumes reported in the introduction to for U.S. users are even higher, around 58 bytes per second per subscriber served.) , REQ-13, REQ-14, and REQ-15 deal explicitly with port allocation schemes and logging. However, it is recognized that these are conflicting requirements, requiring a tradeoff between the efficiency with which ports are used and the rate of generation of log records. Allocating a range of N ports at once reduces the log volume by a factor of N, while also reducing port utilization by a factor which varies with the address sharing ratio and other configuration parameters. This provides a clear motivation to use dynamic allocation of port-ranges rather than individual ports when it is possible to do so while maintaining a satisfactory level of port utilization (and by implication, shared global IPv4 address utilization). Dynamic allocation of port ranges may be used either as the sole strategy for port allocation on the NAPT, or as a supplement to an initial static allocation.

When the user sends out the first packet, a port resource pool is allocated for the user, e.g., assigning ports 2001~2300 of a public IP address to the user's resource pool. Only one log should be generated for this port block. When the NAT needs to set up a new mapping entry for the user, it can use a port in the user's resource pool and the corresponding public IP address. If the user needs more port resources, the NAT can allocate another port block, e.g., ports 3501~3800, to the user's resource pool. Again, just one log needs to be generated for this port block. Cryptographically random port assignment is discussed in Section 2.2 of . Indeed, takes this idea further by allocating non-contiguous sets of ports using a pseudorandom function. Scattering the allocated ports in this way provides a modest barrier to port guessing attacks. The use of randomization is discussed further in . Suppose now that a given internal address has been assigned more than one block of ports. The individual sessions using ports within a port block will start and end at different times. If no ports in some port block are used for some configurable time, the NAT can remove the port block from the resource pool allocated to a given internal address, and make it available for other users. In theory, it is unnecessary to log deallocations of blocks of ports, because the ports in deallocated blocks will not be used again until the blocks are reallocated. However, the deallocation may be logged when it occurs to add robustness to troubleshooting or other procedures. The deallocation procedure presents a number of difficulties in practice. The first problem is the choice of timeout value for the block. If idle timers are applied for the individual mappings (sessions) within the block, and these conform to the recommendations for NAT behaviour for the protocol concerned, then the additional time that might be configured as a guard for the block as a whole need not be more than a few minutes. The block timer in this case serves only as a slightly more conservative extension of the individual session idle timers. If, instead, a single idle timer is used for the whole block, it must itself conform to the recommendations for the protocol with which that block of ports is associated. For example, REQ-5 of requires an idle timer expiry duration of at least 2 hours and 4 minutes for TCP. The suggestions made in may be considered for reducing this time. The next issue with port block deallocation is the conflict between the desire to randomize port allocation and the desire to make unused resources available to other internal addresses. As mentioned above, ideally port selection will take place over the entire set of blocks allocated to the internal address. However, taken to its fullest extent, such a policy will minimize the probability that all ports in any given block are idle long enough for it to be released. As an alternative, it is suggested that when choosing which block to select a port from, the NAT should omit from its range of choice the block that has been idle the longest, unless no ports are available in any of the other blocks. The expression "block that has been idle the longest" designates the block in which the time since the last packet was observed in any of its sessions, in either direction, is earlier than the corresponding time in any of the other blocks assigned to that internal address. As points out, port randomization is just one security measure of several, and the loss of randomness incurred by the suggested procedure is justified by the increased utilization of port resources it allows.

Section 12 of provides a good discussion of the traceability issue. Complete traceability given the NAT logging practices proposed in this draft requires that the remote destination record the source port of a request along with the source address (and presumably protocol, if not implicit) . In addition, the logs at each end must be timestamped, and the clocks must be synchronized within a certain degree of accuracy. Here is one reason for the guard timing on block release, to increase the tolerable level of clock skew between the two ends. Where source port logging can be enabled, this memo strongly urges the operators to do so. Similarly, intrusion detection systems should capture source port as well as source address of suspect packets. In some cases , a server may not record the source port of a connection. To allow traceability, the NAT device needs to record the destination IP address of a connection. As points out, this will provide an incomplete solution to the issue of traceability because multiple users of the same shared public IP address may access the service at the same time. From the point of view of this draft, in such situations the game is lost, so to speak, and port allocation at the NAT might as well be completely dynamic. The final possibility to consider is where the NAT does not do per-session logging even given the possibility that the remote end is failing to capture source ports. In that case, the port allocation strategy proposed in this section can be used. The impact on traceability is that analysis of the logs would yield only the list of all internal addresses mapped to a given public address during the period of time concerned. This has an impact on privacy as well as traceability, depending on the follow-up actions taken.

notes several issues introduced by the use of dynamic as opposed to static port assignment. For example, Section 12.2 of that document notes the effect on authentication procedures. These issues must be resolved, but are not specific to the dynamic port-range allocation strategy.

The discussion which follows addresses an issue that is particularly relevant to the strategies described in of this document. The security considerations applicable to NAT operation for various protocols as documented in, for example, and also apply to this proposal. summarizes the TCP port-guessing attack, by means of which an attacker can hijack one end of a TCP connection. One mitigating measure is to make the source port number used for a TCP connection less predictable. provides various algorithms for this purpose. As Section 3.1 of that RFC notes: "...provided adequate algorithms are in use, the larger the range from which ephemeral ports are selected, the smaller the chances of an attacker are to guess the selected port number." Conversely, the reduced range sizes proposed by the present document increase the attacker's chances of guessing correctly. This result cannot be totally avoided. However, mitigating measures to improve this situation can be taken both at port block assignment time and when selecting individual ports from the blocks that have been allocated to a given user. At assignment time, one possibility is to assign ports as non- contiguous sets of values as proposed in . However, this approach creates a lot of complexity for operations, and the pseudo randomization can create uncertainty when the accuracy of logs is important to protect someone's life or liberty. Alternatively, the NAT can assign blocks of contiguous ports. However, at assignment time the NAT could attempt to randomize its choice of which of the available idle blocks it would assign to a given user. This strategy has to be traded off against the desirability of minimizing the chance of conflict between what calls "transport protocol instances" by assigning the most-idle block, as suggested in . A compromise policy might be to assign blocks only if they have been idle for a certain amount of time whenever possible, and select pseudorandomly between the blocks available according to this criterion. In this case it is suggested that the time value used be greater than the guard timing mentioned in , and that no block should ever be reassigned until it has been idle at least for the duration given by the guard timer. Note that with the possible exception of cryptographically-based port allocations, attackers could reverse-engineer algorithmically-derived port allocations to either target a specific subscriber or to spoof traffic to make it appear to have been generated by a specific subscriber. However, this is exactly the same level of security that the subscriber would experience in the absence of CGN. CGN is not intended to provide additional security by obscurity. While the block assignment strategy can provide some mitigation of the port guessing attack, the largest contribution will come from pseudo-randomization at port selection time. provides a number of algoriths for achieving this pseudo-randomization. When the available ports are contained in blocks which are not in general consecutive, the algorithms clearly need some adaptation. The task is complicated by the fact that the number of blocks allocated to the user may vary over time. Adaptation is left as an exercise for the implementor.

This document makes no request of IANA.

This document is the result of a merger of the original draft-chen-sunset4-cgn-port-allocation and draft-tsou-behave-natx4-log-reduction. Version -02 of draft-chen contains the following acknowledgements: The author would like to thank Lee Howard and Simon Perreault for their helpful comments. Many thanks to Wesley George and Marc Blanchet encourage the author to continue this work. The authors of draft-tsou-behave-natx4-log-reduction have their own thanks to give. Mohamed Boucadair reviewed the initial document and provided useful comments to improve it. Reinaldo Penno, Joel Jaeggli, and Dan Wing provided comments on the subsequent version that resulted in major revisions. Serafim Petsis provided encouragement to publication after a hiatus of two years. The present version of the document benefited from further comments by Lee Howard and Mohamed Boucadair.