Akamai Technologies, Inc.

150 Broadway Cambridge, MA 02144 United States of America jakeholland.net@gmail.com

Ops Mboned Internet-Draft This document defines a method for a network to maintain Network Address Translation address mappings for the transport of globally addressed multicast traffic within a network that can’t otherwise forward the globally addressed traffic. A new Multicast Network Address Translation (MNAT) service is defined to communicate the address mappings to ingress and egress points within the network, and considerations for operation of the MNAT service are described.

Network Address Translation is very widely used for unicast traffic in a variety of networks and according to a variety of mechanisms. is recommended reading for background on the ways unicast NAT is used. The handling of multicast traffic can pose a variety of additional problems for a network, some of which can be mitigated or avoided if traffic can be mapped to a different address space than its original addressing. This document defines a new service, Multicast Network Address Translation (MNAT) as a mechanism to administer network address mappings for multicast traffic within a network, for the purpose of working around various addressing-related issues. An overview of some of the motivating use cases that require network address remapping for multicast traffic is given in . An explanation of the protocol operation is given in . Messaging to and from the MNAT service is defined with RESTCONF using the YANG model in . Unlike traditional unicast NAT, MNAT performs address translation at both an ingress point to the network where the traffic is transformed to use an address scheme local to the network, and also at an egress point from the network where the traffic is transformed back to the original address scheme for further forwarding, or for further processing by a receiving application.

The reader is assumed to be familiar with the concepts and terminology regarding source-specific multicast as described in and the use of IGMPv3 and MLDv2 for group management of source-specific multicast channels, as described in . The reader is also assumed to be familiar with the concepts and terminology for RESTCONF and YANG . The reader is also assumed to be familiar with the use of DNS-SD for discovery of services provided by the network to end hosts.

Term Definition (S,G) A source-specific multicast channel, as described in . A pair of IP addresses with a source host IP and destination group IP. egress node A MNAT client operating at a point where NATted multicast traffic exits the network (close to the receiver) ingress node A MNAT client operating at a point where multicast traffic enters the network and gets NATted (close to the sender) MNAT client A client using the ietf-mnat YANG model via RESTCONF, or a client with equivalent signaling to an MNAT service. NATted traffic Multicast traffic that has been translated to use addressing or encapsulation assigned locally within the network, rather than its original global addressing. SSM Source-specific multicast, as described in The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in and when, and only when, they appear in all capitals, as shown here.

This section lists use cases where a global (S,G) may not be possible to transport within a network, requiring the use of some kind of encapsulation or address translation in order to adequately communicate the group membership for packet replication within the network, or in order to perform the forwarding for the subscribed traffic within the network. Global IPv6 (S,G)s subscribed from within an IPv4-only network, or global IPv4 (S,G)s subscribed from within an IPv6-only network. Networks with legacy devices that support only IGMPv2 or MLDv1, or otherwise do not support SSM and cannot discover the external sources without the use of non-standard services since interdomain any-source multicast has been deprecated (see ). Networks that ingest external multicast traffic in a way that the route to the source of the traffic does not go through the ingest point may need to use a different source so that the Reverse Path Forwarding (RPF) can find the correct network location for the ingest. Networks that provision multicast transport and packet replication channels with static routing instead of dynamic tree-building protocols like PIM-SM . Networks using VLAN for traffic segregation and has Layer 2 access devices that assign VLAN tags according to MAC addresses will get MAC address collisions among multicast groups. Because the bits used for the multicast addresses come from the bottom 23 bits of the destination group address as described in , and those bits can collide between groups, especially in SSM. This breaks the traffic segregation in such devices. A note elaborating on the use of static routing for multicast groups: Some networks have found that there are good use cases to deliver a limited set of packet-replicating flows, including sometimes the use of externally sourced multicast traffic, but have struggled with the operational complexity of operating a dynamic tree-building system based on PIM-SM . Operating an MNAT service can allow these networks to provide for the limited use of packet-replicating data channels while keeping the operational complexity of handling a dynamically changing set of channels confined to a single service that implements their business logic for admission control, rather than trying to apply access control lists for group membership propagation spread across the network.

Note to RFC Editor: Please remove this section and its subsections before publication. This section is to provide references to make it easier to review the development and discussion on the draft so far.

This document is in the Github repository at: https://github.com/GrumpyOldTroll/draft-ietf-mnat Readers are welcome to open issues and send pull requests for this document. Please note that contributions may be merged and substantially edited, and as a reminder, please carefully consider the Note Well before contributing: https://datatracker.ietf.org/submit/note-well/ Substantial discussion of this document should take place on the MBONED working group mailing list (mboned@ietf.org). Join: https://www.ietf.org/mailman/listinfo/mboned Search: https://mailarchive.ietf.org/arch/browse/mboned/

There is an implementation prototype (MIT-licensed) at: https://github.com/GrumpyOldTroll/mnat Pull requests, comments, testing and deployment reports, etc. are very welcome. Contributors before RFC publication will be credited in this document unless requested otherwise.

The use of MNAT within a network is defined in terms the folowing entities: MNAT service ingress nodes egress nodes Address translation is performed at the ingress (closest to the sender) and egress (closest to the receiver) nodes. Ingress is where an external (S,G) is mapped to locally assigned address mapping before being forwarded for transport within the network. Egress is where the traffic received on locally assigned addresses is translated back to the corresponding external (S,G) address before being forwarded for further transmission or processed by a receiving application. The MNAT service maintains the mapping between external (S,G)s and the local network addresses used to transport traffic of those (S,G)s within the network. The address mapping is performed according to the needs of the network operating the MNAT service, to satisfy whatever constraints and restrictions may be necessary or desirable according to the operational considerations within that network. Some example considerations that have motivated the design of MNAT are described in . Ingress and egress nodes communicate with the MNAT service according to the schema defined by the YANG model in . In particular, they maintain an up-to-date table of the mappings between the external (S,G)s and the locally assigned addresses for transport within the network in order to perform the corresponding network address translations. TBD: probably add a diagram here. Probably something roughly similar to page 7 of the IETF 108 mboned presentation touching on this: https://www.ietf.org/proceedings/108/slides/slides-108-mboned-status-update-on-multicast-to-the-browser-00.pdf#page=7

Egress nodes can run in at least two separate modes of operation. One of the modes is “bump in the wire”, which refers to a node that receives traffic using the network-assigned locally chosen addresses, and translates the traffic back to the associated externally addressed (S,G) before forwarding the traffic along the rest of the network paths to the receiving applications that tried to join the external (S,G). The second mode is “bump in the host”, which refers to a virtual node operating inside a client application. As a “bump in the host” egress node, the virtual egress node can discover and connect to the MNAT service from a receiving application. The receiving application would then use the knowledge about the address mapping within the network to perform a join for the mapped addresses in the local network, rather than for the external (S,G), treating the payloads of the packets received as though they arrived with the external (S,G) addressing. A common scenario for a bump in the wire egress node deployment might be to have egress nodes operating in Customer Premises Equipment (CPE), such as a Cable Modem or Wi-Fi router inside the home of a customer to a multicast-capable Internet Service Provider (ISP). In this scenario, the egress node discovery mechanism for the MNAT service might be a static configuration for the MNAT service’s hostname, pushed by the ISP to the CPE devices. For a bump in the host egress node, the discovery of the MNAT service might either operate via DNS-SD using a search domain for the ISP distributed to hosts via a DHCP Domain Search option , or via configuration instructions the ISP gives to their customers to configure a search domain for their devices, or to configure the MNAT service’s hostname for that ISP in their applications.

It is RECOMMENDED that egress devices in end-user operating systems or applications use DNS-SD by default to discover an MNAT service within their containing networks. However, a network may require the use of other mechanisms, including options such as manual configuration, so implementors are advised to offer manual configuration options in addition. As long as an MNAT client can find a valid hostname to use, it can connect to the given MNAT service and monitor changes to the address assignments within the network.

TBD: recommendations for noticing and discontinuing use of MNAT services that report mappings that don’t correspond to the mappings apparently in use in the client’s local network (particularly from egress nodes).

TBD: describe the RESTCONF validation and bootstrapping steps. Use the same section name from I-D.draft-ietf-mboned-dorms as a template, assuming it passes a wider review.

When possible, changes to the group assignments should be communicated with subscriptions to data model updates using a server push mechanism, for example as described in . Where clients or servers do not support server push updates, long polling can be used instead to provide timely updates. See for an explanation of the approach and a discussion of its pros and cons. If long polling and server push are both unavailable, MNAT clients may need to poll the server to monitor updates instead. This approach is likely to encounter delays in the detection of changes to mapping decisions within the MNAT service, but can be used as a last resort for providing multicast connectivity.

MNAT clients open a persistent connection to the MNAT service and request allocation of a watcher key with the get-new-watcher-key rpc. Watcher keys are identifiers chosen by the MNAT service and communicated to client nodes in the response to a successful get-new-egress-key rpc. Watcher keys SHOULD be based on a random value and unique per new key requested. Egress nodes communicate an interest in global (S,G)s by posting updates to the egress-global-joined container under a watcher with id equal to their watcher-key. Ingress nodes communicate an interest in sets of global (S,G)s by providing a monitor object with a matching filter under a watcher with id equal to their watcher-key. Watcher-keys expire if the refresh-watcher-id rpc is not invoked within the refresh-period given in the response to the get-new-watcher-id rpc. TBD: better explanation about how the service times out egress nodes that don’t refresh their egress key on schedule, and how egress nodes that reconnect can attempt to refresh the prior key they were using, but must request a new one on error. Probably define a state per egress key (e.g. active vs. recently expired vs. non-existant) for the MNAT service to maintain. Explain how the MNAT service should use population count from the egress joins to make prioritization decisions for the assignment of flows when there is limited flow space. Probably reference CBACC in that explanation (I-D.draft-ietf-mboned-cbacc).

The egress-global-joined container in the YANG model provides a mechanism for egress nodes to directly advertise their group membership to the MNAT service for externally addressed (S,G)s. Egress nodes advertise their group membership to external (S,G)s to the MNAT service and also advertise group membership to their next-hop router using IGMP or MLD for the locally mapped addressing withing the network. Joins and leaves for the locally mapped network addresses occur in response to downstream joins for an external (S,G) that has or gains a mapping according to the MNAT service, when the join or leave propagates to the egress node. Payloads of the locally mapped traffic should be treated as though they were carried in packets addressed as the external (S,G), including any authentication checks that should be performed for the traffic. Egress nodes that forward traffic (non-virtual egress nodes) will perform an address translation from the locally mapped addressing to the original (S,G) (according to the address mapping the MNAT service provides) before forwarding packets matching a locally mapped address. It is the responsibility of the MNAT service and the network that operates it to ensure that multiple different traffic streams are not merged to the same locally mapped addresses in a way that collides.

Like egress nodes, ingress nodes monitor the assignments provided by the MNAT service and perform network address translation and group membership propagation. Ingress nodes perform the translation from an external (S,G) to the internally mapped addressing for the local network transport. In general, ingress nodes are translating traffic before the in-network multicast fanout to multiple egress nodes. So an ingress node is generally assumed to be feeding one or more egress nodes. Because one ingress node can feed many egress nodes, ingress nodes should be given priority ahead of egress nodes for notifications about changes to the address mapping from the MNAT service.

The details of the address assignment strategies used by the internal logic of the MNAT service are out of scope for this document. Different instances of MNAT services are expected to use a wide range of considerations specific to the networks in which the instances operate. However, outside of address assignment there are some operational points an MNAT service instance should take into consideration: Assignment Transition Grace Period It’s recommended to provide a grace period between reassigning a local address mapping to a new external (S,G) after unassigning its mapping to an old (S,G). The grace period should account for the expected time for the connected ingress and egress nodes to process the unassigning of the external (S,G) and for egress nodes to perform leave operations for the old locally mapped address, and for the leave operations to propagate through the network. Scaling The MNAT service should be appropriately provisioned to support the expected number of ingress and egress nodes within the network. In an eyeball network, restrictions on the number of egress nodes per shared receiver IP address may be appropriate, to avoid a rogue client application from forming an excessive number of egress connections. Alternately, for bump-in-the-wire deployments of egress nodes in CPE devices it may be appropriate to authenticate the egress connections with a client certificate for each home to avoid denial of service attacks based on overloading the MNAT service with egress connections. Additionally, it’s RECOMMENDED to provide per-egress limits on the number of external simultaneous (S,G)s permitted per egress at a level appropriate to the scaling limitations for the network, to avoid denial of service attacks based on overloading the group assignments.

TBD: show what an expected example message sequence or 2 would look like.

The tree diagram below uses the notation defined in .

file ietf-mnat@2020-12-23.yang module ietf-mnat { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-mnat"; prefix mnat; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } import ietf-routing-types { prefix "rt-types"; reference "RFC 8294"; } organization "IETF MBONED (Multicast Backbone Deployment) Working Group"; contact "WG Web: WG List: Author: Jake Holland "; description "Multicast Network Address Translation Model. Copyright (c) 2012 - 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision "2020-10-22" { description "Initial version."; } grouping multicast-channel { choice channel-type { description "ASM or SSM multicast channels can be represented."; case ssm-channel { leaf source { type inet:ip-address; mandatory true; description "Source address of a multicast channel"; } leaf group { type rt-types:ip-multicast-group-address; mandatory true; description "The global (S,G)'s group address"; } } case asm-channel { leaf asm-group { type rt-types:ip-multicast-group-address; mandatory true; description "The global (S,G)'s group address"; } } } } grouping monitor-definition { choice monitor-type { description "Definition of monitor characteristics."; case monitor-global-sources { leaf global-source-prefix { type inet:ip-prefix; mandatory true; description "Prefix to match for source IPs."; } } } } typedef watcher-key { type string; description "A key for egress identification."; } typedef assignment-id { type uint32; description "A type for assignment identifiers."; } identity assignment-state { description "Base identity to represent assignment states"; } typedef assignment-state { type identityref { base assignment-state; } description "Status of an assigned (S,G)."; } identity unassigned { base assignment-state; description "Represents an unassigned global (S,G) that cannot be received in the local network."; } identity assigned-local-multicast { base assignment-state; description "Represents an assigned global (S,G) that can be received in the local network by joining the associated local-mapping."; } container egress-global-joined { description "Declarations of subscriptions to global (S,G)s per egress."; list watcher { key "id"; description "Mappings of traffic that correspond to the registered interest list for a given watch id (from the get-new-watcher-id rpc)"; leaf id { type watcher-key; description "Identifier from get-new-watcher-id. Tracks assignments of interest to the specific watcher."; } list joined-sg { key "id"; leaf id { type string; description "id of the joined (S,G)"; } description "(S,G)s in the global address space that an egress is joined to. These should get corresponding entries in the assigned-channels lists."; uses multicast-channel; } } } container ingress-watching { description "Matches on (S,G)s that get ingested from this ingress."; list watcher { key "id"; description "Mappings of traffic that correspond to the registered interest list for a given watch id (from the get-new-watcher-id rpc)"; leaf id { type watcher-key; description "Identifier from get-new-watcher-id. Tracks assignments of interest to the specific watcher."; } list monitor { key "id"; leaf id { type string; description "id of the monitor definition"; } uses monitor-definition; } } } container assigned-channels { config false; description "MNAT mappings of global (S,G)s into a local transport."; list watcher { key "id"; description "Mappings of traffic that correspond to the registered interest list for a given watch id (from the get-new-watcher-id rpc)"; leaf id { type watcher-key; description "Identifier from get-new-watcher-id. Tracks assignments of interest to the specific watcher."; } list mapped-sg { key "id"; description "The local network's assignment of global channels to local transport characteristics."; leaf id { type assignment-id; mandatory true; description "Identifier for this assignment."; } leaf state { type assignment-state; mandatory true; description "Status of the global (S,G)s that are assigned in the local network."; } container global-subscription { description "The global channel that's mapped."; uses multicast-channel; } container local-mapping { choice mapping-type { description "The description of how the global channel is transported within the local network"; case local-multicast-mapping { description "Defines the use of a local multicast (S,G) or (*,G)."; uses multicast-channel; } } } } } } rpc get-new-watcher-id { description "Obtain a secret key unique to an individual mnat-egress instance, assigned by the server and used for subscription management."; output { leaf watcher-id { type watcher-key; mandatory true; description "Identifier for assignment monitoring."; } leaf refresh-period { type uint16; default 10; description "Number of seconds to wait between refresh messages."; } } } rpc refresh-watcher-id { description "A secret key unique to an individual mnat-egress instance, assigned by the server and used for subscription management."; input { leaf watcher-id { type watcher-key; mandatory true; description "Egress identifier for assignment monitoring."; } } output { leaf refresh-period { type uint16; default 10; description "Number of seconds to wait between refresh messages."; } } } } ]]>

This document adds one YANG module to the “YANG Module Names” registry maintained at <https://www.iana.org/assignments/yang-parameters>. The following registrations are made, per the format in Section 14 of :

This document adds the following registration to the “ns” subregistry of the “IETF XML Registry” defined in , referencing this document.

This document adds one service name to the “Service Name and Transport Protocol Port Number Registry” maintained at <https://www.iana.org/assignments/service-names-port-numbers>. The following registrations are made, per the format in Section 8.1.1 of :

Contact: IETF Chair Description: The MNAT service (RESTCONF that includes ietf-mnat YANG model) Reference: I-D.draft-jholland-mboned-mnat Port Number: N/A Service Code: N/A Known Unauthorized Uses: N/A Assignment Notes: N/A ]]>

TBD. (What, me worry?) Notable points to cover: communcation with the MNAT service should be secured. RESTCONF does this, alternate methods should also do it. separate authentication of the contents of the multicast traffic is recommended. mistaken mappings can result in receipt of payloads for the wrong channel. This can happen transiently even during normal operation. Recommend some steps to mitigate and avoid. Clients can (deliberately or accidentally) overload the service. Limits should be set to avoid disrupting traffic to the rest of the network.

Thanks to Lenny Giuliano for very helpful comments on this document.

This memo specifies the extensions required of a host implementation of the Internet Protocol (IP) to support multicasting. Recommended procedure for IP multicasting in the Internet. This RFC obsoletes RFCs 998 and 1054. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document updates RFC 2710, and it specifies Version 2 of the ulticast Listener Discovery Protocol (MLDv2). MLD is used by an IPv6 router to discover the presence of multicast listeners on directly attached links, and to discover which multicast addresses are of interest to those neighboring nodes. MLDv2 is designed to be interoperable with MLDv1. MLDv2 adds the ability for a node to report interest in listening to packets with a particular multicast address only from specific source addresses or from all sources except for specific source addresses. [STANDARDS-TRACK] The Internet Group Management Protocol Version 3 (IGMPv3) and the Multicast Listener Discovery Protocol Version 2 (MLDv2) are protocols that allow a host to inform its neighboring routers of its desire to receive IPv4 and IPv6 multicast transmissions, respectively. Source-specific multicast (SSM) is a form of multicast in which a receiver is required to specify both the network-layer address of the source and the multicast destination address in order to receive the multicast transmission. This document defines the notion of an "SSM-aware" router and host, and clarifies and (in some cases) modifies the behavior of IGMPv3 and MLDv2 on SSM-aware routers and hosts to accommodate source-specific multicast. This document updates the IGMPv3 and MLDv2 specifications. [STANDARDS-TRACK] IP version 4 (IPv4) addresses in the 232/8 (232.0.0.0 to 232.255.255.255) range are designated as source-specific multicast (SSM) destination addresses and are reserved for use by source-specific applications and protocols. For IP version 6 (IPv6), the address prefix FF3x::/32 is reserved for source-specific multicast use. This document defines an extension to the Internet network service that applies to datagrams sent to SSM addresses and defines the host and router requirements to support this extension. [STANDARDS-TRACK] This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD. YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF). This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF). RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language. This document describes a mechanism that allows subscriber applications to request a continuous and customized stream of updates from a YANG datastore. Providing such visibility into updates enables new capabilities based on the remote mirroring and monitoring of configuration and operational state. This document attempts to describe the operation of NAT devices and the associated considerations in general, and to define the terminology used to identify various flavors of NAT. This memo provides information for the Internet community. This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas. YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK] On today's Internet, the Hypertext Transfer Protocol (HTTP) is often used (some would say abused) to enable asynchronous, "server- initiated" communication from a server to a client as well as communication from a client to a server. This document describes known issues and best practices related to such "bidirectional HTTP" applications, focusing on the two most common mechanisms: HTTP long polling and HTTP streaming. This document is not an Internet Standards Track specification; it is published for informational purposes. This document defines the procedures that the Internet Assigned Numbers Authority (IANA) uses when handling assignment and other requests related to the Service Name and Transport Protocol Port Number registry. It also discusses the rationale and principles behind these procedures and how they facilitate the long-term sustainability of the registry.This document updates IANA's procedures by obsoleting the previous UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the IANA Allocation Guidelines, and it updates the IANA service name and port assignment procedures for UDP-Lite, the Datagram Congestion Control Protocol (DCCP), and the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV specification to clarify what a service name is and how it is registered. This memo documents an Internet Best Current Practice. This document specifies Protocol Independent Multicast - Sparse Mode (PIM-SM). PIM-SM is a multicast routing protocol that can use the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a Rendezvous Point (RP) per group, and it optionally creates shortest-path trees per source.This document obsoletes RFC 4601 by replacing it, addresses the errata filed against it, removes the optional (*,*,RP), PIM Multicast Border Router features and authentication using IPsec that lack sufficient deployment experience (see Appendix A), and moves the PIM specification to Internet Standard. This document recommends deprecation of the use of Any-Source Multicast (ASM) for interdomain multicast. It recommends the use of Source-Specific Multicast (SSM) for interdomain multicast applications and recommends that hosts and routers in these deployments fully support SSM. The recommendations in this document do not preclude the continued use of ASM within a single organization or domain and are especially easy to adopt in existing deployments of intradomain ASM using PIM Sparse Mode (PIM-SM). IEEE