Internet Engineering Task Force (IETF) S. Perreault, Ed.
Request for Comments: 6888 Viagenie
BCP: 127 I. Yamagata
Updates: 4787 S. Miyakawa
Category: Best Current Practice NTT Communications
ISSN: 2070-1721 A. Nakagawa
Japan Internet Exchange (JPIX)
H. Ashida
Cisco Systems
April 2013
Internet Engineering Task Force (IETF) S. Perreault, Ed.
Request for Comments: 6888 Viagenie
BCP: 127 I. Yamagata
Updates: 4787 S. Miyakawa
Category: Best Current Practice NTT Communications
ISSN: 2070-1721 A. Nakagawa
Japan Internet Exchange (JPIX)
H. Ashida
Cisco Systems
April 2013
Common Requirements for Carrier-Grade NATs (CGNs)
载波级NAT(CGN)的通用要求
Abstract
摘要
This document defines common requirements for Carrier-Grade NATs (CGNs). It updates RFC 4787.
本文件定义了承运人级NAT(CGN)的通用要求。它更新了RFC4787。
Status of This Memo
关于下段备忘
This memo documents an Internet Best Current Practice.
本备忘录记录了互联网最佳实践。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关BCP的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6888.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6888.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Requirements for CGNs . . . . . . . . . . . . . . . . . . . 4
4. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Port Allocation Scheme . . . . . . . . . . . . . . . . . . . 11
6. Deployment Considerations . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . 12
9.2. Informative Reference . . . . . . . . . . . . . . . . . 13
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Requirements for CGNs . . . . . . . . . . . . . . . . . . . 4
4. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Port Allocation Scheme . . . . . . . . . . . . . . . . . . . 11
6. Deployment Considerations . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . 12
9.2. Informative Reference . . . . . . . . . . . . . . . . . 13
With the shortage of IPv4 addresses, it is expected that more Internet Service Providers (ISPs) may want to provide a service where a public IPv4 address would be shared by many subscribers. Each subscriber is assigned a private address, and a Network Address Translator (NAT) [RFC2663] situated in the ISP's network translates the traffic between private and public addresses. When a second IPv4 NAT is located at the customer edge, this results in two layers of NAT.
由于IPv4地址短缺,预计会有更多的互联网服务提供商(ISP)希望提供公共IPv4地址由多个订户共享的服务。每个订户都被分配一个专用地址,位于ISP网络中的网络地址转换器(NAT)[RFC2663]转换专用地址和公共地址之间的通信量。当第二个IPv4 NAT位于客户边缘时,将产生两层NAT。
This service can conceivably be offered alongside others, such as IPv6 services or regular IPv4 service assigning public addresses to subscribers. Some ISPs started offering such a service long before there was a shortage of IPv4 addresses, showing that there are driving forces other than the shortage of IPv4 addresses. One approach to CGN deployment is described in [RFC6264].
可以想象,该服务可以与其他服务一起提供,例如IPv6服务或为订阅者分配公共地址的常规IPv4服务。一些ISP早在IPv4地址短缺之前就开始提供这样的服务,这表明除了IPv4地址短缺之外还有其他驱动力。[RFC6264]中描述了CGN部署的一种方法。
This document describes behavior that is required of those multi-subscriber NATs for interoperability. It is not an IETF endorsement of CGNs or a real specification for CGNs; rather, it is just a minimal set of requirements that will increase the likelihood of applications working across CGNs.
本文档描述了这些多订户NAT的互操作性所需的行为。它不是IETF对CGN的认可,也不是CGN的真正规范;相反,它只是一组最小的需求,将增加应用程序跨CGN工作的可能性。
Because subscribers do not receive unique IPv4 addresses, Carrier-Grade NATs introduce substantial limitations in communications between subscribers and with the rest of the Internet. In particular, it is considerably more involved to establish proxy functionality at the border between internal and external realms. Some applications may require substantial enhancements, while some others may not function at all in such an environment. Please see "Issues with IP Address Sharing" [RFC6269] for details.
由于订户不接收唯一的IPv4地址,运营商级NAT在订户之间以及与Internet其余部分的通信中引入了很大的限制。特别是,在内部和外部领域之间的边界上建立代理功能要复杂得多。有些应用程序可能需要大量增强,而有些应用程序可能根本无法在这样的环境中运行。有关详细信息,请参阅“IP地址共享问题”[RFC6269]。
This document builds upon previous works describing requirements for generic NATs [RFC4787][RFC5382][RFC5508]. These documents, and their updates if any, still apply in this context. What follows are additional requirements, to be satisfied on top of previous ones.
本文件建立在先前描述通用NAT要求的工作基础上[RFC4787][RFC5382][RFC5508]。这些文档及其更新(如果有)仍适用于此上下文。以下是在先前要求的基础上需要满足的附加要求。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Readers are expected to be familiar with "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP" [RFC4787] and the terms defined there. The following additional term is used in this document:
读者应熟悉“单播UDP的网络地址转换(NAT)行为要求”[RFC4787]及其定义的术语。本文件中使用了以下附加术语:
Carrier-Grade NAT (CGN): A NAT-based [RFC2663] logical function used to share the same IPv4 address among several subscribers. A CGN is not managed by the subscribers.
运营商级NAT(CGN):一种基于NAT的[RFC2663]逻辑函数,用于在多个订户之间共享相同的IPv4地址。CGN不由订阅者管理。
Note that the term "carrier-grade" has nothing to do with the quality of the NAT; that is left to discretion of implementers. Rather, it is to be understood as a topological qualifier: the NAT is placed in an ISP's network and translates the traffic of potentially many subscribers. Subscribers have limited or no control over the CGN, whereas they typically have full control over a NAT placed on their premises.
注意术语“载体等级”与NAT的质量无关;这由实施者自行决定。相反,它被理解为一个拓扑限定符:NAT被放置在ISP的网络中,并转换潜在多个用户的流量。订阅者对CGN的控制有限或没有控制权,而他们通常对放置在其场所的NAT拥有完全控制权。
Note also that the CGN described in this document is IPv4-only. IPv6 address translation is not considered.
还要注意,本文档中描述的CGN仅为IPv4。不考虑IPv6地址转换。
However, the scenario in which the IPv4-only CGN logical function is used may include IPv6 elements. For example, Dual-Stack Lite (DS-Lite) [RFC6333] uses an IPv4-only CGN logical function in a scenario making use of IPv6 encapsulation. Therefore, this document would also apply to the CGN part of DS-Lite.
但是,使用仅IPv4 CGN逻辑功能的场景可能包括IPv6元素。例如,双栈Lite(DS Lite)[RFC6333]在使用IPv6封装的场景中使用仅IPv4的CGN逻辑函数。因此,本文件也适用于DS Lite的CGN部分。
Figure 1 summarizes a common network topology in which a CGN operates.
图1总结了CGN运行的常见网络拓扑。
.
:
| Internet
............... | ...................
| ISP network
External pool: |
192.0.2.1/26 |
++------++ External realm
........... | CGN |...............
++------++ Internal realm
10.0.0.1 | |
| |
| | ISP network
............. | .. | ................
| | Customer premises
10.0.0.100 | | 10.0.0.101
++------++ ++------++
| CPE1 | | CPE2 | etc.
++------++ ++------++
.
:
| Internet
............... | ...................
| ISP network
External pool: |
192.0.2.1/26 |
++------++ External realm
........... | CGN |...............
++------++ Internal realm
10.0.0.1 | |
| |
| | ISP network
............. | .. | ................
| | Customer premises
10.0.0.100 | | 10.0.0.101
++------++ ++------++
| CPE1 | | CPE2 | etc.
++------++ ++------++
(IP addresses are only for example purposes)
(IP地址仅用于示例目的)
Figure 1: CGN Network Topology
图1:CGN网络拓扑
Another possible topology is one for hotspots, where there is no customer premise or customer premises equipment (CPE), but where a CGN serves a bunch of customers who don't trust each other; hence, fairness is an issue. One important difference with the previous topology is the absence of a second layer of NAT. This, however, has no impact on CGN requirements since they are driven by fairness and robustness in the service provided to customers, which applies in both cases.
另一种可能的拓扑是热点拓扑,其中没有客户场所或客户场所设备(CPE),但CGN服务于一群彼此不信任的客户;因此,公平是一个问题。与以前的拓扑结构的一个重要区别是缺少第二层NAT。然而,这对CGN需求没有影响,因为它们是由向客户提供的服务的公平性和健壮性驱动的,这两种情况都适用。
What follows is a list of requirements for CGNs. They are in addition to those found in other documents such as [RFC4787], [RFC5382], and [RFC5508].
以下是CGN的需求列表。它们是在其他文件(如[RFC4787]、[RFC5382]和[RFC5508]中发现的文件之外的文件。
REQ-1: If a CGN forwards packets containing a given transport protocol, then it MUST fulfill that transport protocol's behavioral requirements. Current applicable documents are as follows:
REQ-1:如果CGN转发包含给定传输协议的数据包,那么它必须满足该传输协议的行为要求。现行适用文件如下:
a. "NAT Behavioral Requirements for Unicast UDP" [RFC4787]
a. “单播UDP的NAT行为要求”[RFC4787]
b. "Network Address Translation (NAT) Behavioral Requirements for TCP" [RFC5382]
b. “TCP的网络地址转换(NAT)行为要求”[RFC5382]
c. "NAT Behavioral Requirements for ICMP" [RFC5508]
c. “ICMP的NAT行为要求”[RFC5508]
d. "Network Address Translation (NAT) Behavioral Requirements for the Datagram Congestion Control Protocol (DCCP)" [RFC5597]
d. “数据报拥塞控制协议(DCCP)的网络地址转换(NAT)行为要求”[RFC5597]
Any future NAT behavioral requirements documents for IPv4 transport protocols will impose additional requirements for CGNs on top of those stated here.
IPv4传输协议的任何未来NAT行为要求文档都将对CGN施加额外的要求,而不是此处所述的要求。
Justification: It is crucial for CGNs to maximize the set of applications that can function properly across them. The IETF has documented the best current practices for UDP, TCP, ICMP, and DCCP.
理由:对于CGN来说,最大化能够跨它们正常运行的应用程序集是至关重要的。IETF记录了UDP、TCP、ICMP和DCCP的当前最佳实践。
REQ-2: A CGN MUST have a default "IP address pooling" behavior of "Paired" (as defined in Section 4.1 of [RFC4787]). A CGN MAY provide a mechanism for administrators to change this behavior on an application protocol basis.
REQ-2:CGN必须具有“配对”的默认“IP地址池”行为(如[RFC4787]第4.1节所定义)。CGN可以为管理员提供一种机制,以便在应用程序协议的基础上更改此行为。
* When multiple overlapping internal IP address ranges share the same external IP address pool (e.g., DS-Lite [RFC6333]), the "IP address pooling" behavior applies to mappings between external IP addresses and internal subscribers rather than between external and internal IP addresses.
* 当多个重叠的内部IP地址范围共享同一个外部IP地址池(例如,DS Lite[RFC6333])时,“IP地址池”行为适用于外部IP地址和内部订户之间的映射,而不是外部IP地址和内部IP地址之间的映射。
Justification: This stronger form of REQ-2 from [RFC4787] is justified by the stronger need for not breaking applications that depend on the external address remaining constant.
理由:来自[RFC4787]的这种更强形式的REQ-2的理由是更需要不中断依赖于外部地址保持不变的应用程序。
Note that this requirement applies regardless of the transport protocol. In other words, a CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols.
请注意,此要求适用于任何传输协议。换句话说,CGN必须对与相同内部IP地址相关联的所有会话使用相同的外部IP地址映射,无论是TCP、UDP、ICMP还是其他协议,或者是不同协议的混合。
The justification for allowing other behaviors is to allow the administrator to save external addresses and ports for application protocols that are known to work fine with other behaviors in practice. However, the default behavior MUST be "Paired".
允许其他行为的理由是允许管理员保存应用程序协议的外部地址和端口,这些协议在实践中与其他行为配合良好。但是,默认行为必须是“成对的”。
REQ-3: The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool. In particular, the CGN function MUST be configurable with contiguous or non-contiguous external IPv4 address ranges.
REQ-3:CGN函数不应该对外部地址池的大小或连续性有任何限制。特别是,CGN函数必须可配置为连续或非连续的外部IPv4地址范围。
Justification: Given the increasing rarity of IPv4 addresses, it is becoming harder for an operator to provide large contiguous address pools to CGNs. Additionally, operational flexibility may require non-contiguous address pools for reasons such as differentiated services, routing management, etc.
理由:考虑到IPv4地址越来越稀少,运营商向CGN提供大型连续地址池变得越来越困难。此外,出于区分服务、路由管理等原因,操作灵活性可能需要非连续地址池。
The reason for having SHOULD instead of MUST is to account for limitations imposed by available resources as well as constraints imposed for security reasons.
有“应该”而不是“必须”的原因是考虑到可用资源所施加的限制以及出于安全原因而施加的限制。
REQ-4: A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber.
REQ-4:CGN必须支持限制每个订阅者分配的外部端口数(或相当于ICMP的“标识符”)。
a. Per-subscriber limits MUST be configurable by the CGN administrator.
a. 每个订户的限制必须由CGN管理员配置。
b. Per-subscriber limits MAY be configurable independently per transport protocol.
b. 每个用户的限制可以根据传输协议独立配置。
c. Additionally, it is RECOMMENDED that the CGN include administrator-adjustable thresholds to prevent a single subscriber from consuming excessive CPU resources from the CGN (e.g., rate-limit the subscriber's creation of new mappings).
c. 此外,建议CGN包括管理员可调整的阈值,以防止单个订户从CGN消耗过多的CPU资源(例如,速率限制订户创建新映射)。
Justification: A CGN can be considered a network resource that is shared by competing subscribers. Limiting the number of external ports assigned to each subscriber mitigates the denial-of-service (DoS) attack that a subscriber could launch against other subscribers through the CGN in order to get a larger share of the resource. It ensures fairness among subscribers. Limiting the rate of allocation mitigates a similar attack where the CPU is the resource being targeted instead of port numbers. However, this requirement is not a MUST because it is very hard to explicitly call out all CPU-consuming events.
理由:CGN可以被认为是由竞争用户共享的网络资源。限制分配给每个订阅者的外部端口的数量可以减轻订阅者可能通过CGN对其他订阅者发起的拒绝服务(DoS)攻击,以获得更大的资源份额。它确保了订户之间的公平。限制分配速率可以缓解类似的攻击,其中CPU是目标资源而不是端口号。但是,这个要求不是必须的,因为很难显式调用所有CPU消耗事件。
REQ-5: A CGN SHOULD support limiting the amount of state memory allocated per mapping and per subscriber. This may include limiting the number of sessions, the number of filters, etc., depending on the NAT implementation.
REQ-5:CGN应该支持限制每个映射和每个订户分配的状态内存量。这可能包括限制会话数量、过滤器数量等,具体取决于NAT实现。
a. Limits SHOULD be configurable by the CGN administrator.
a. 限制应由CGN管理员配置。
b. Additionally, it SHOULD be possible to limit the rate at which memory-consuming state elements are allocated.
b. 此外,应该可以限制分配内存消耗状态元素的速率。
Justification: A NAT needs to keep track of TCP sessions associated with each mapping. This state consumes resources for which, in the case of a CGN, subscribers may compete. It is necessary to ensure that each subscriber has access to a fair share of the CGN's resources. Limiting the rate of allocation is intended to prevent CPU resource exhaustion. Item "B" is at the SHOULD level to account for the fact that means other than rate limiting may be used to attain the same goal.
理由:NAT需要跟踪与每个映射关联的TCP会话。这种状态消耗资源,在CGN的情况下,订阅者可以竞争这些资源。有必要确保每个订户都能获得CGN资源的公平份额。限制分配速率旨在防止CPU资源耗尽。项目“B”处于“应”水平,以说明可使用除利率限制以外的其他手段来实现相同目标。
REQ-6: It MUST be possible to administratively turn off translation for specific destination addresses and/or ports.
REQ-6:必须能够通过管理方式关闭特定目标地址和/或端口的转换。
Justification: It is common for a CGN administrator to provide access for subscribers to servers installed in the ISP's network in the external realm. When such a server is able to reach the internal realm via normal routing (which is entirely controlled by the ISP), translation is unneeded. In that case, the CGN may forward packets without modification, thus acting like a plain router. This may represent an important efficiency gain.
理由:CGN管理员通常为用户提供对安装在外部领域ISP网络中的服务器的访问权限。当这样的服务器能够通过正常路由(完全由ISP控制)到达内部领域时,就不需要翻译了。在这种情况下,CGN可以不经修改地转发分组,从而充当普通路由器。这可能是一个重要的效率增益。
Figure 2 illustrates this use-case.
图2说明了这个用例。
X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r |
| e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
| n |from X2:x2 | |from X2:x2 | e |
| t | to X1:x1 | | to X1:x1 | r |
+---+ +---+ +---+
X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r |
| e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
| n |from X2:x2 | |from X2:x2 | e |
| t | to X1:x1 | | to X1:x1 | r |
+---+ +---+ +---+
Figure 2: CGN Pass-Through
图2:CGN传递
REQ-7: It is RECOMMENDED that a CGN use an "endpoint-independent filtering" behavior (as defined in Section 5 of [RFC4787]). If it is known that "Address-Dependent Filtering" does not cause the application-layer protocol to break (how to determine this is out of scope for this document), then it MAY be used instead.
REQ-7:建议CGN使用“端点独立过滤”行为(如[RFC4787]第5节所定义)。如果已知“地址相关过滤”不会导致应用层协议中断(如何确定这超出了本文档的范围),则可以改用它。
Justification: This is a stronger form of REQ-8 from [RFC4787]. This is based on the observation that some games and peer-to-peer applications require EIF for the NAT traversal to work. In the context of a CGN, it is important to minimize application breakage.
理由:这是[RFC4787]中REQ-8的一种更强形式。这是基于一些游戏和对等应用程序需要EIF才能进行NAT遍历的观察。在CGN环境中,将应用程序破坏最小化是很重要的。
REQ-8: Once an external port is deallocated, it SHOULD NOT be reallocated to a new mapping until at least 120 seconds have passed, with the exceptions being:
REQ-8:一旦解除分配外部端口,在至少120秒之前不应将其重新分配到新映射,例外情况如下:
a. If the CGN tracks TCP sessions (e.g., with a state machine, as in Section 3.5.2.2 of [RFC6146]), TCP ports MAY be reused immediately.
a. 如果CGN跟踪TCP会话(例如,使用状态机,如[RFC6146]第3.5.2.2节所述),则可以立即重用TCP端口。
b. If external ports are statically assigned to internal addresses (e.g., address X with port range 1000-1999 is assigned to subscriber A, 2000-2999 to subscriber B, etc.), and the assignment remains constant across state loss, then ports MAY be reused immediately.
b. 如果静态地将外部端口分配给内部地址(例如,端口范围为1000-1999的地址X分配给订户A,2000-2999分配给订户B等),并且在状态丢失期间分配保持不变,则可以立即重用端口。
c. If the allocated external ports used address-dependent or address-and-port-dependent filtering before state loss, they MAY be reused immediately.
c. 如果分配的外部端口在状态丢失之前使用了地址相关过滤或地址和端口相关过滤,则可以立即重用这些端口。
The length of time and the maximum number of ports in this state MUST be configurable by the CGN administrator.
CGN管理员必须配置此状态下的时间长度和最大端口数。
Justification: This is necessary in order to prevent collisions between old and new mappings and sessions. It ensures that all established sessions are broken instead of redirected to a different peer.
理由:这是必要的,以防止新旧映射和会话之间发生冲突。它确保所有已建立的会话都被中断,而不是重定向到其他对等方。
The exceptions are for cases where reusing a port immediately does not create a possibility that packets would be redirected to the wrong peer. One can imagine other exceptions where mapping collisions are avoided, thus justifying the SHOULD level for this requirement.
例外情况是,立即重用端口不会造成数据包重定向到错误对等方的可能性。您可以想象其他可以避免映射冲突的异常,从而证明此需求的应级别是合理的。
The 120 seconds value corresponds to the Maximum Segment Lifetime (MSL) from [RFC0793].
120秒值对应于[RFC0793]中的最大段寿命(MSL)。
Note that this requirement also applies to the case when a CGN loses state (due to a crash, reboot, failover to a cold standby, etc.). In that case, ports that were in use at the time of state loss SHOULD NOT be reallocated until at least 120 seconds have passed.
请注意,此要求也适用于CGN失去状态(由于崩溃、重新启动、故障切换到冷备用等)的情况。在这种情况下,在状态丢失时正在使用的端口在至少120秒之前不应重新分配。
REQ-9: A CGN MUST implement a protocol giving subscribers explicit control over NAT mappings. That protocol SHOULD be the Port Control Protocol [RFC6887].
REQ-9:CGN必须实现一个协议,允许订阅者对NAT映射进行显式控制。该协议应为端口控制协议[RFC6887]。
Justification: Allowing subscribers to manipulate the NAT state table with PCP greatly increases the likelihood that applications will function properly.
理由:允许订阅者使用PCP操作NAT状态表大大增加了应用程序正常运行的可能性。
A study of PCP-less CGN impacts can be found in [NAT444]. Another study considering the effects of PCP on a peer-to-peer file sharing protocol can be found in [BITTORRENT].
关于PCP较少的CGN影响的研究见[NAT444]。另一项考虑PCP对对等文件共享协议影响的研究可在[BITTORRENT]中找到。
REQ-10: CGN implementers SHOULD make their equipment manageable. Standards-based management using standards such as "Definitions of Managed Objects for NAT" [RFC4008] is RECOMMENDED.
REQ-10:CGN实施者应使其设备易于管理。建议使用“NAT托管对象定义”[RFC4008]等标准进行基于标准的管理。
Justification: It is anticipated that CGNs will be primarily deployed in ISP networks where the need for management is critical. This requirement is at the SHOULD level to account for the fact that some CGN operators may not need management functionality.
理由:预计CGN将主要部署在需要管理的ISP网络中。这一要求是为了说明某些CGN运营商可能不需要管理功能这一事实。
Note also that there are efforts within the IETF toward creating a MIB tailored for CGNs (e.g., [NAT-MIB]).
还请注意,IETF内部正在努力创建为CGN定制的MIB(例如,[NAT-MIB])。
REQ-11: When a CGN is unable to create a dynamic mapping due to resource constraints or administrative restrictions (i.e., quotas):
REQ-11:当CGN由于资源限制或管理限制(即配额)而无法创建动态映射时:
a. it MUST drop the original packet;
a. 它必须丢弃原始数据包;
b. it SHOULD send an ICMP Destination Unreachable message with code 1 (Host Unreachable) to the sender;
b. 它应该向发送方发送一条代码为1(主机不可访问)的ICMP目的地不可访问消息;
c. it SHOULD send a notification (e.g., SNMP trap) towards a management system (if configured to do so); and
c. 它应该向管理系统发送通知(例如SNMP陷阱)(如果配置为这样做);和
d. it MUST NOT delete existing mappings in order to "make room" for the new one. (This only applies to normal CGN behavior, not to manual operator intervention.)
d. 它不能为了给新映射“腾出空间”而删除现有映射。(这仅适用于正常CGN行为,不适用于手动操作员干预。)
Justification: This is a slightly different form of REQ-8 from [RFC5508]. Code 1 is preferred to code 13 because it is listed as a "soft error" in [RFC1122], which is important because we don't want TCP stacks to abort the connection attempt in this case. See [RFC5461] for details on TCP's reaction to soft errors.
理由:这是与[RFC5508]稍有不同的REQ-8形式。代码1优先于代码13,因为它在[RFC1122]中被列为“软错误”,这很重要,因为在这种情况下,我们不希望TCP堆栈中止连接尝试。有关TCP对软错误的反应的详细信息,请参阅[RFC5461]。
Sending ICMP errors and SNMP traps may be rate-limited for security reasons, which is why requirements B and C are SHOULDs, not MUSTs.
出于安全原因,发送ICMP错误和SNMP陷阱可能会受到速率限制,这就是为什么要求B和C是应该的,而不是必须的。
Applications generally handle connection establishment failure better than established connection failure. This is why dropping the packet initiating the new connection is preferred over deleting existing mappings. See also the rationale in Section 6 of [RFC5508].
应用程序通常比已建立的连接故障更好地处理连接建立故障。这就是为什么丢弃启动新连接的数据包比删除现有映射更可取的原因。另请参见[RFC5508]第6节中的基本原理。
It may be necessary for CGN administrators to be able to identify a subscriber based on external IPv4 address, port, and timestamp in order to deal with abuse. When multiple subscribers share a single external address, the source address and port that are visible at the destination host have been translated from the ones originated by the subscriber.
CGN管理员可能需要能够基于外部IPv4地址、端口和时间戳来识别订户,以便处理滥用。当多个订阅服务器共享一个外部地址时,目标主机上可见的源地址和端口已从订阅服务器发起的地址和端口转换而来。
In order to be able to do this, the CGN would need to log the following information for each mapping created (this list is for informational purposes only and does not constitute a requirement):
为了能够做到这一点,CGN需要为创建的每个映射记录以下信息(此列表仅供参考,不构成要求):
o transport protocol
o 传输协议
o subscriber identifier (e.g., internal source address or tunnel endpoint identifier)
o 订户标识符(例如,内部源地址或隧道端点标识符)
o external source address
o 外部源地址
o external source port
o 外部源端口
o timestamp
o 时间戳
By "subscriber identifier" we mean information that uniquely identifies a subscriber. For example, in a traditional NAT scenario, the internal source address would be sufficient. In the case of DS-Lite, many subscribers share the same internal address and the subscriber identifier is the tunnel endpoint identifier (i.e., the B4's IPv6 address).
“订户标识符”是指唯一标识订户的信息。例如,在传统的NAT场景中,内部源地址就足够了。在DS Lite的情况下,许多订户共享相同的内部地址,订户标识符是隧道端点标识符(即B4的IPv6地址)。
A disadvantage of logging mappings is that CGNs under heavy usage may produce large amounts of logs, which may require large storage volume.
日志映射的一个缺点是,大量使用的CGN可能会生成大量日志,这可能需要很大的存储容量。
REQ-12: A CGN SHOULD NOT log destination addresses or ports unless required to do so for administrative reasons.
REQ-12:CGN不应记录目标地址或端口,除非出于管理原因需要这样做。
Justification: Destination logging at the CGN creates privacy issues. Furthermore, readers should be aware of logging recommendations for Internet-facing servers [RFC6302]. With compliant servers, the destination address and port do not need to be logged by the CGN. This can help reduce the amount of logging.
理由:CGN上的目标日志记录会产生隐私问题。此外,读者应了解面向Internet的服务器的日志记录建议[RFC6302]。对于兼容服务器,CGN不需要记录目标地址和端口。这有助于减少日志记录量。
This requirement is at the SHOULD level to account for the fact that there may be other reasons for logging destination addresses or ports. One such reason might be that the remote server is not following [RFC6302].
这一要求是为了说明记录目标地址或端口可能有其他原因这一事实。其中一个原因可能是远程服务器没有遵循[RFC6302]。
A CGN's port allocation scheme is subject to three competing requirements:
CGN的港口分配方案受制于三个相互竞争的要求:
REQ-13: A CGN's port allocation scheme SHOULD maximize port utilization.
REQ-13:CGN的端口分配方案应最大限度地提高端口利用率。
Justification: External ports are one of the resources being shared by a CGN. Efficient management of that resource directly impacts the quality of a subscriber's Internet connection.
理由:外部端口是CGN共享的资源之一。对该资源的有效管理直接影响到订阅者Internet连接的质量。
Some schemes are very efficient in their port utilization. In that sense, they have good scaling properties (nothing is wasted). Others will systematically waste ports.
有些方案在端口利用率方面非常有效。从这个意义上讲,它们具有良好的缩放特性(不会浪费任何东西)。其他人将有计划地浪费港口。
REQ-14: A CGN's port allocation scheme SHOULD minimize log volume.
REQ-14:CGN的端口分配方案应尽量减少日志量。
Justification: Huge log volumes can be problematic to CGN operators.
理由:巨大的日志量可能会给CGN操作员带来问题。
Some schemes create one log entry per mapping. Others allow multiple mappings to generate a single log entry, which sometimes can be expressed very compactly. With some schemes, the logging frequency can approach that of DHCP servers.
有些方案为每个映射创建一个日志条目。另一些允许多个映射生成单个日志条目,有时可以非常紧凑地表示。使用某些方案,日志记录频率可以接近DHCP服务器的频率。
REQ-15: A CGN's port allocation scheme SHOULD make it hard for attackers to guess port numbers.
REQ-15:CGN的端口分配方案应使攻击者难以猜测端口号。
Justification: Easily guessed port numbers put subscribers at risk of the attacks described in [RFC6056].
理由:容易猜测的端口号使订户面临[RFC6056]中所述的攻击风险。
Some schemes provide very good security in that ports numbers are not easily guessed. Others provide poor security to subscribers.
一些方案提供了非常好的安全性,因为端口号不容易猜测。另一些则为订户提供较差的安全性。
A CGN implementation's choice of port allocation scheme optimizes to satisfy one requirement at the expense of another. Therefore, these are soft requirements (SHOULD as opposed to MUST).
CGN实现对端口分配方案的选择进行了优化,以满足一个需求而牺牲另一个需求。因此,这些是软需求(应该而不是必须)。
Several issues are encountered when CGNs are used [RFC6269]. There is current work in the IETF toward alleviating some of these issues. For example, see [NAT-REVEAL].
使用CGN时会遇到几个问题[RFC6269]。IETF目前正在努力缓解其中一些问题。例如,请参见[NAT-REVEL]。
If a malicious subscriber can spoof another subscriber's CPE, it may cause a DoS to that subscriber by creating mappings up to the allowed limit. An ISP can prevent this with ingress filtering, as described in [RFC2827].
如果恶意订阅者可以欺骗另一订阅者的CPE,它可能会通过创建高达允许限制的映射而导致对该订阅者的拒绝服务。如[RFC2827]所述,ISP可以通过入口过滤来防止这种情况。
This document recommends endpoint-independent filtering (EIF) as the default filtering behavior for CGNs. EIF has security considerations that are discussed in [RFC4787].
本文档建议将端点独立过滤(EIF)作为CGN的默认过滤行为。EIF具有[RFC4787]中讨论的安全注意事项。
NATs sometimes perform fragment reassembly. CGNs would do so at presumably high data rates. Therefore, the reader should be familiar with the potential security issues described in [RFC4963].
NAT有时执行片段重组。CGN可能会以很高的数据速率这样做。因此,读者应该熟悉[RFC4963]中描述的潜在安全问题。
Thanks for the input and review by Alexey Melnikov, Arifumi Matsumoto, Barry Leiba, Benson Schliesser, Dai Kuwabara, Dan Wing, Dave Thaler, David Harrington, Francis Dupont, Jean-Francois Tremblay, Joe Touch, Lars Eggert, Kousuke Shishikura, Mohamed Boucadair, Martin Stiemerling, Meng Wei, Nejc Skoberne, Pete Resnick, Reinaldo Penno, Ron Bonica, Sam Hartman, Sean Turner, Senthil Sivakumar, Stephen Farrell, Stewart Bryant, Takanori Mizuguchi, Takeshi Tomochika, Tina Tsou, Tomohiro Fujisaki, Tomohiro Nishitani, Tomoya Yoshida, Wes George, Wesley Eddy, and Yasuhiro Shirasaki.
感谢Alexey Melnikov、Arifumi Matsumoto、Barry Leiba、Benson Schliesser、Dai Kuwabara、Dan Wing、Dave Thaler、David Harrington、Francis Dupont、Jean-Francois Tremblay、Joe Touch、Lars Eggert、Kousuke Shishikura、Mohamed Boucadair、Martin Stiemering、Meng Wei、Nejc Skoberne、Pete Resnick、Reinaldo Penno、Ron Bonica、,Sam Hartman、Sean Turner、Senthil Sivakumar、Stephen Farrell、Stewart Bryant、Takanori Mizuguchi、Takeshi Tomochika、Tina Tsou、藤崎智弘、西田智博、吉田智雅、乔治、艾迪和白崎安弘。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and C. Wang, "Definitions of Managed Objects for Network Address Translators (NAT)", RFC 4008, March 2005.
[RFC4008]Rohit,R.,Srisuresh,P.,Raghunarayan,R.,Pai,N.,和C.Wang,“网络地址转换器(NAT)管理对象的定义”,RFC 4008,2005年3月。
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, January 2007.
[RFC4787]Audet,F.和C.Jennings,“单播UDP的网络地址转换(NAT)行为要求”,BCP 127,RFC 4787,2007年1月。
[RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, RFC 5382, October 2008.
[RFC5382]Guha,S.,Biswas,K.,Ford,B.,Sivakumar,S.,和P.Srisuresh,“TCP的NAT行为要求”,BCP 142,RFC 5382,2008年10月。
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT Behavioral Requirements for ICMP", BCP 148, RFC 5508, April 2009.
[RFC5508]Srisuresh,P.,Ford,B.,Sivakumar,S.,和S.Guha,“ICMP的NAT行为要求”,BCP 148,RFC 5508,2009年4月。
[RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) Behavioral Requirements for the Datagram Congestion Control Protocol", BCP 150, RFC 5597, September 2009.
[RFC5597]Denis Courmont,R.,“数据报拥塞控制协议的网络地址转换(NAT)行为要求”,BCP 150,RFC 5597,2009年9月。
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2013.
[RFC6887]Wing,D.,Ed.,Cheshire,S.,Boucadair,M.,Penno,R.,和P.Selkirk,“港口控制协议(PCP)”,RFC 6887,2013年4月。
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, September 1981.
[RFC0793]Postel,J.,“传输控制协议”,标准7,RFC 793,1981年9月。
[RFC1122] Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1122]Braden,R.,“互联网主机的要求-通信层”,标准3,RFC 1122,1989年10月。
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.
[RFC2663]Srisuresh,P.和M.Holdrege,“IP网络地址转换器(NAT)术语和注意事项”,RFC 2663,1999年8月。
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly Errors at High Data Rates", RFC 4963, July 2007.
[RFC4963]Heffner,J.,Mathis,M.,和B.Chandler,“高数据速率下的IPv4重组错误”,RFC 4963,2007年7月。
[RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461, February 2009.
[RFC5461]Gont,F.,“TCP对软错误的反应”,RFC 54612009年2月。
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-Protocol Port Randomization", BCP 156, RFC 6056, January 2011.
[RFC6056]Larsen,M.和F.Gont,“传输协议端口随机化建议”,BCP 156,RFC 6056,2011年1月。
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011.
[RFC6146]Bagnulo,M.,Matthews,P.,和I.van Beijnum,“有状态NAT64:从IPv6客户端到IPv4服务器的网络地址和协议转换”,RFC 61462011年4月。
[RFC6264] Jiang, S., Guo, D., and B. Carpenter, "An Incremental Carrier-Grade NAT (CGN) for IPv6 Transition", RFC 6264, June 2011.
[RFC6264]Jiang,S.,Guo,D.,和B.Carpenter,“IPv6过渡的增量载波级NAT(CGN)”,RFC 62642011年6月。
[RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. Roberts, "Issues with IP Address Sharing", RFC 6269, June 2011.
[RFC6269]福特,M.,布卡达尔,M.,杜兰德,A.,利维斯,P.,和P.罗伯茨,“IP地址共享问题”,RFC 6269,2011年6月。
[RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, "Logging Recommendations for Internet-Facing Servers", BCP 162, RFC 6302, June 2011.
[RFC6302]Durand,A.,Gashinsky,I.,Lee,D.,和S.Sheppard,“面向Internet服务器的日志记录建议”,BCP 162,RFC 6302,2011年6月。
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, August 2011.
[RFC6333]Durand,A.,Droms,R.,Woodyatt,J.,和Y.Lee,“IPv4耗尽后的双栈Lite宽带部署”,RFC 63332011年8月。
[NAT-MIB] Perreault, S., Tsou, T., and S. Sivakumar, "Additional Managed Objects for Network Address Translators (NAT)", Work in Progress, February 2013.
[NAT-MIB]Perreault,S.,Tsou,T.,和S.Sivakumar,“网络地址转换器(NAT)的其他托管对象”,正在进行的工作,2013年2月。
[NAT-REVEAL] Boucadair, M., Touch, J., Levis, P., and R. Penno, "Analysis of Solution Candidates to Reveal a Host Identifier (HOST_ID) in Shared Address Deployments", Work in Progress, April 2013.
[NAT-REVEL]Boucadair,M.,Touch,J.,Levis,P.,和R.Penno,“分析备选解决方案,以显示共享地址部署中的主机标识符(主机ID)”,正在进行的工作,2013年4月。
[NAT444] Donley, C., Ed., Howard, L., Kuarsingh, V., Berg, J., and J. Doshi, "Assessing the Impact of Carrier-Grade NAT on Network Applications", Work in Progress, April 2013.
[NAT444]Donley,C.,Ed.,Howard,L.,Kuarsingh,V.,Berg,J.,和J.Doshi,“评估运营商级NAT对网络应用的影响”,正在进行的工作,2013年4月。
[BITTORRENT] Boucadair, M., Zheng, T., Deng, X., and J. Queiroz, "Behavior of BitTorrent service in PCP-enabled networks with Address Sharing", Work in Progress, May 2012.
[BITTORRENT]Boucadair,M.,Zheng,T.,Deng,X.,和J.Queiroz,“具有地址共享功能的PCP网络中BITTORRENT服务的行为”,正在进行的工作,2012年5月。
Authors' Addresses
作者地址
Simon Perreault (editor) Viagenie 246 Aberdeen Quebec, QC G1R 2E1 Canada
Simon Perreault(编辑)加拿大魁北克省阿伯丁市Viagenie 246号QC G1R 2E1
Phone: +1 418 656 9254
EMail: simon.perreault@viagenie.ca
URI: http://www.viagenie.ca
Phone: +1 418 656 9254
EMail: simon.perreault@viagenie.ca
URI: http://www.viagenie.ca
Ikuhei Yamagata NTT Communications Corporation Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku Tokyo 108-8118 Japan
Ikuhei Yamagata NTT通信公司大公园大厦17楼,3-4-1 Shibaura,Minato ku东京108-8118
Phone: +81 50 3812 4704
EMail: ikuhei@nttv6.jp
Phone: +81 50 3812 4704
EMail: ikuhei@nttv6.jp
Shin Miyakawa NTT Communications Corporation Gran Park Tower 17F, 3-4-1 Shibaura, Minato-ku Tokyo 108-8118 Japan
新宫川NTT通信公司大公园大厦17楼,3-4-1 Shibaura,Minato ku东京108-8118
Phone: +81 50 3812 4695
EMail: miyakawa@nttv6.jp
Phone: +81 50 3812 4695
EMail: miyakawa@nttv6.jp
Akira Nakagawa Japan Internet Exchange Co., Ltd. (JPIX) Otemachi Building 21F, 1-8-1 Otemachi, Chiyoda-ku Tokyo 100-0004 Japan
日本东京千代田区大田町1-8-1号大田町21楼中川昭一日本互联网交换有限公司(JPIX)100-0004
Phone: +81 90 9242 2717
EMail: a-nakagawa@jpix.ad.jp
Phone: +81 90 9242 2717
EMail: a-nakagawa@jpix.ad.jp
Hiroyuki Ashida Cisco Systems Midtown Tower, 9-7-1, Akasaka Minato-Ku, Tokyo 107-6227 Japan
Hiroyuki Ashida Cisco Systems Midtown Tower,9-7-1,Akasaka Minato Ku,东京107-6227
EMail: hiashida@cisco.com
EMail: hiashida@cisco.com