source: draft-cheshire-pcp-anycast/draft-ietf-pcp-anycast.xml @ 355

Last change on this file since 355 was 355, checked in by ietf-pcp@…, 8 years ago

s/external/internal/

File size: 25.8 KB
Line 
1<?xml version="1.0" encoding="US-ASCII"?>
2<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
3<?rfc toc="yes"?>
4<?rfc tocompact="yes"?>
5<?rfc tocdepth="3"?>
6<?rfc tocindent="yes"?>
7<?rfc symrefs="yes"?>
8<?rfc sortrefs="yes"?>
9<?rfc comments="yes"?>
10<?rfc inline="yes"?>
11<?rfc compact="no"?>
12<?rfc subcompact="no"?>
13<rfc category="std" docName="draft-ietf-pcp-anycast-02" ipr="trust200902">
14  <front>
15    <title abbrev="PCP Anycast Address">PCP Anycast Address</title>
16
17    <author fullname="Sebastian Kiesel" initials="S." surname="Kiesel">
18      <organization abbrev="University of Stuttgart">University of Stuttgart
19      Information Center</organization>
20
21      <address>
22        <postal>
23          <street>Networks and Communication Systems Department</street>
24          <street>Allmandring 30</street>
25
26          <city>Stuttgart</city>
27
28          <code>70550</code>
29
30          <country>Germany</country>
31        </postal>
32
33        <email>ietf-pcp@skiesel.de</email>
34      </address>
35    </author>
36
37    <author fullname="Reinaldo Penno" initials="R." surname="Penno">
38      <organization>Cisco Systems, Inc.</organization>
39
40      <address>
41        <postal>
42          <street/>
43
44          <city>San Jose</city>
45
46          <region>CA</region>
47
48          <code/>
49
50          <country>US</country>
51        </postal>
52
53        <phone/>
54
55        <facsimile/>
56
57        <email>repenno@cisco.com</email>
58
59        <uri/>
60      </address>
61    </author>
62
63    <author fullname="Stuart Cheshire" initials="S." surname="Cheshire">
64      <organization abbrev="Apple">Apple Inc.</organization>
65
66      <address>
67        <postal>
68          <street>1 Infinite Loop</street>
69
70          <city>Cupertino</city>
71
72          <region>California</region>
73
74          <code>95014</code>
75
76          <country>USA</country>
77        </postal>
78
79        <phone>+1 408 974 3207</phone>
80
81        <email>cheshire@apple.com</email>
82      </address>
83    </author>
84
85
86    <date year="2014"/>
87
88    <workgroup>PCP working group</workgroup>
89
90    <abstract>
91      <t>The Port Control Protocol (PCP) Anycast Address enables PCP clients to
92      transmit signaling messages to their closest on-path NAT, Firewall, or other
93      middlebox, without having to learn the IP address of that middlebox via
94      some external channel.  This document establishes one well-known
95      IPv4 address and one well-known IPv6 address to be used as
96      PCP Anycast Address.</t>
97    </abstract>
98  </front>
99
100  <middle>
101    <section anchor="intro" title="Introduction">
102
103      <t>The Port Control Protocol (PCP) <xref target="RFC6887"/>
104      provides a mechanism to control how
105      incoming packets are forwarded by upstream devices such as Network
106      Address Translator IPv6/IPv4 (NAT64), Network Address Translator
107      IPv4/IPv4 (NAT44), IPv6 and IPv4 firewall devices, and a mechanism to
108      reduce application keep alive traffic.</t>
109
110      <t>The PCP document <xref target="RFC6887"/>
111      specifies the message formats used, but the address to which a client
112      sends its request is either assumed to be the default router (which is
113      appropriate in a typical single-link residential network) or has to be
114      configured otherwise via some external mechanism, such as DHCP.
115      The properties and drawbacks of various mechanisms are discussed in
116      <xref target="appendix-alternatives"/>.</t>
117
118      <t>This document follows a different approach: it establishes a
119      well-known anycast address for the PCP Server.
120      PCP clients are expected to send requests to this
121      address during the PCP Server discovery process. A PCP Server configured
122      with the anycast address could optionally redirect or return a list of
123      unicast PCP Servers to the client. For a more extensive discussion
124      on anycasting see <xref target="appendix_anycast_discussion"/>.</t>
125
126      <t>The benefit of using an anycast address is simplicity and
127      reliability. In an example deployment scenario: <list style="numbers">
128          <t>A network administrator installs a PCP-capable NAT.</t>
129
130          <t>An end user (who may be the same person) runs a PCP-enabled
131          application. This application can implement PCP with purely
132          user-level code -- no operating system support is required.</t>
133
134          <t>This PCP-enabled application sends its PCP request to the PCP
135          anycast address. This packet travels through the network like any
136          other, without any special support from DNS, DHCP, other routers, or
137          anything else, until it reaches the PCP-capable NAT, which receives
138          it, handles it, and sends back a reply.</t>
139        </list> Using the PCP anycast address, the only two things that need
140      to be deployed in the network are the two things that actually use PCP:
141      The PCP-capable NAT, and the PCP-enabled application. Nothing else in
142      the network needs to be changed or upgraded, and nothing needs to be
143      configured, including the PCP client.</t>
144
145    </section>
146
147
148
149    <section anchor="spec"
150             title="PCP Server Discovery based on well-known IP Address">
151      <section title="PCP Discovery Client behavior">
152        <t>PCP Clients that need to discover PCP servers SHOULD first send a
153        PCP request to the configured PCP server or to the default router,
154        as described in Section 8.1 of <xref target="RFC6887"/>.  However,
155        differing from Section 8.1.1 of <xref target="RFC6887"/>, MRC
156        (Maximum Retransmission Count) is set to 4.  Trying the configured
157        PCP server or the default router first is important because in the
158        case of cascaded PCP Servers, all of them need to be discovered in
159        order of hop distance from the client. </t>
160       
161        <t>If contacting the configured PCP server or the default router
162        does not succeed with this first approach, the PCP client
163        re-initializes RT based on IRT, and
164        it resets MRC to its "normal" value (0 unless a different value is
165        requested by the application), as described in Section 8.1.1 of
166        <xref target="RFC6887"/>.
167        Then, the PCP client repeatedly transmits a message to the
168        configured PCP server or the default router, waits RT, transmits a
169        message to the anycast address, waits RT, recalculates RT as specified
170        in Section 8.1.1 of <xref target="RFC6887"/>, and starts again
171        with a retransmission to the configured PCP server or the default
172        router. This procedure continues until a reply is received or
173        or the PCP client is no longer interested in the PCP transaction
174        or the message exchange is considered to have failed according to
175        MRC/MRD.</t>
176       
177        <t>The PCP client SHOULD select the PCP anycast address to be of the
178        same IP address family as its requested PCP mapping, i.e., the
179        address family of the Requested Internal IP Address.</t>
180       
181      </section>
182
183      <section title="PCP Discovery Server behavior">
184        <t>A PCP Server can be configured to listen on the anycast address for
185        incoming PCP requests.</t>
186
187        <t>PCP responses are sent from that same IANA-assigned address (see
188        Page 5 of <xref target="RFC1546"/>).</t>
189      </section>
190    </section>
191
192    <section title="Deployment Considerations">
193        <t>There are known limitations when there is more than one
194        PCP server and asymmetric routing, or similar scenarios.
195        Mechanisms to deal with those situations, such as state
196        synchronization between PCP servers, are beyond
197        the scope of this document.</t>
198
199        <t>For general recommendations regarding operation of
200        anycast services see <xref target="RFC4786"/>.</t>
201
202    </section>
203
204    <section title="IANA Considerations">
205      <section title="Registration of IPv4 Special Purpose Address">
206        <t>IANA is requested to register a single IPv4 address in the IANA
207        IPv4 Special Purpose Address Registry <xref target="RFC5736"/>.</t>
208
209        <t><xref target="RFC5736"/> itemizes some information to be recorded
210        for all designations: <list style="hanging">
211            <t>1. The designated address prefix.</t>
212
213            <t>Prefix: TBD by IANA. Prefix length: /32</t>
214
215            <t>2. The RFC that called for the IANA address designation.</t>
216
217            <t>This document.</t>
218
219            <t>3. The date the designation was made.</t>
220
221            <t>TBD.</t>
222
223            <t>4. The date the use designation is to be terminated (if
224            specified as a limited-use designation).</t>
225
226            <t>Unlimited. No termination date.</t>
227
228            <t>5. The nature of the purpose of the designated address (e.g.,
229            unicast experiment or protocol service anycast).</t>
230
231            <t>protocol service anycast.</t>
232
233            <t>6. For experimental unicast applications and otherwise as
234            appropriate, the registry will also identify the entity and
235            related contact details to whom the address designation has been
236            made.</t>
237
238            <t>N/A.</t>
239
240            <t>7. The registry will also note, for each designation, the
241            intended routing scope of the address, indicating whether the
242            address is intended to be routable only in scoped, local, or
243            private contexts, or whether the address prefix is intended to be
244            routed globally.</t>
245
246            <t>Typically used within a network operator's network domain, but
247            in principle globally routable.</t>
248
249            <t>8. The date in the IANA registry is the date of the IANA
250            action, i.e., the day IANA records the allocation.</t>
251
252            <t>TBD.</t>
253          </list></t>
254      </section>
255
256      <section title="Registration of IPv6 Special Purpose Address">
257        <t>IANA is requested to register a single IPv6 address in the IANA
258        IPv6 Special Purpose Address Block <xref target="RFC4773"/>.</t>
259
260        <t><xref target="RFC4773"/> itemizes some information to be recorded
261        for all designations: <list style="hanging">
262            <t>1. The designated address prefix.</t>
263
264            <t>Prefix: TBD by IANA. Prefix length: /128</t>
265
266            <t>2. The RFC that called for the IANA address designation.</t>
267
268            <t>This document.</t>
269
270            <t>3. The date the designation was made.</t>
271
272            <t>TBD.</t>
273
274            <t>4. The date the use designation is to be terminated (if
275            specified as a limited-use designation).</t>
276
277            <t>Unlimited. No termination date.</t>
278
279            <t>5. The nature of the purpose of the designated address (e.g.,
280            unicast experiment or protocol service anycast).</t>
281
282            <t>protocol service anycast.</t>
283
284            <t>6. For experimental unicast applications and otherwise as
285            appropriate, the registry will also identify the entity and
286            related contact details to whom the address designation has been
287            made.</t>
288
289            <t>N/A.</t>
290
291            <t>7. The registry will also note, for each designation, the
292            intended routing scope of the address, indicating whether the
293            address is intended to be routable only in scoped, local, or
294            private contexts, or whether the address prefix is intended to be
295            routed globally.</t>
296
297            <t>Typically used within a network operator's network domain, but
298            in principle globally routable.</t>
299
300            <t>8. The date in the IANA registry is the date of the IANA
301            action, i.e., the day IANA records the allocation.</t>
302
303            <t>TBD.</t>
304          </list></t>
305      </section>
306
307    </section>
308
309    <section anchor="security" title="Security Considerations">
310      <t>In a network without any border gateway, NAT or firewall that is
311      aware of the PCP anycast address, outgoing PCP requests could leak out
312      onto the external Internet, possibly revealing information about
313      internal devices.</t>
314
315      <t>Using an IANA-assigned well-known PCP anycast address enables border
316      gateways to block such outgoing packets. In the default-free zone,
317      routers should be configured to drop such packets. Such configuration
318      can occur naturally via BGP messages advertising that no route exists to
319      said address.</t>
320
321      <t>Sensitive clients that do not wish to leak information about their
322      presesence can set an IP TTL on their PCP requests that limits how far
323      they can travel into the public Internet.</t>
324    </section>
325  </middle>
326
327  <back>
328    <?rfc needLines="6" ?>
329
330    <references title="Normative References">
331      <?rfc include="reference.RFC.1546"?>
332
333      <!-- <?rfc include="reference.RFC.2119"?> -->
334
335      <?rfc include="reference.RFC.3958"?>
336
337      <?rfc include="reference.RFC.4773"?>
338
339      <?rfc include="reference.RFC.5736"?>
340
341      <?rfc include="reference.RFC.6887"?>
342
343    </references>
344
345    <references title="Informative References">
346      <?rfc include="reference.RFC.4786"?>
347      <?rfc include="reference.I-D.chen-pcp-mobile-deployment"?>
348      <?rfc include="reference.I-D.ietf-pcp-dhcp"?>
349
350      <?rfc include="reference.I-D.ietf-dhc-container-opt"?>
351
352      <reference anchor="DhcpRequestParams"
353                 target="http://msdn.microsoft.com/en-us/library/windows/desktop/aa363298%28v=vs.85%29.aspx">
354        <front>
355          <title>OpenFlow Switch Specification</title>
356
357          <author fullname="OpenFlow" surname="OpenFlow">
358            <organization>OpenFlow</organization>
359          </author>
360
361          <date month="February" year="2011"/>
362        </front>
363      </reference>
364
365      <reference anchor="DNSDisc">
366        <front>
367          <title>Analysis of DNS Server Discovery Mechanisms for IPv6</title>
368
369          <author fullname="Jun-ichiro Hagino" initials="J" surname="Hagino">
370            <organization/>
371          </author>
372
373          <author fullname="Dave Thaler" initials="D" surname="Thaler">
374            <organization/>
375          </author>
376
377          <date day="27" month="November" year="2001"/>
378        </front>
379
380        <seriesInfo name="Internet-Draft"
381                    value="draft-ietf-ipngwg-dns-discovery-01"/>
382
383        <format target="http://tools.ietf.org/id/draft-ietf-ipngwg-dns-discovery-01.txt"
384                type="TXT"/>
385      </reference>
386    </references>
387
388
389
390    <section anchor="appendix-alternatives" title="Discussion of other PCP Discovery methods">
391      <t>Several algorithms have been specified that allows PCP Client to
392      discover the PCP Servers on a network . However, each of this approaches
393      has technical or operational issues that will hinder the fast deployment
394      of PCP.</t>
395
396      <section anchor="default_router" title="Default Router">
397        <t>The PCP specification allows one mode of operation in which the
398        PCP client sends its requests to the default router. This approach
399        is appropriate in a typical single-link residential network but
400        has limitations in more complex network topologies.</t>
401
402        <t>If PCP server does not reside in first hop router, whether because
403        subscriber has a existing home router or in the case of Wireless
404        Networks (3G, LTE) <xref target="I-D.chen-pcp-mobile-deployment"/>,
405        trying to send a request to default router will not work.</t>
406      </section>
407
408      <section anchor="dhcp_option" title="DHCP PCP Options">
409        <t>One general drawback of relying on external configuration mechanisms,
410        such as DHCP <xref target="I-D.ietf-pcp-dhcp"/>, is that it creates
411        an external dependency on another piece of network infrastructure which
412        must be configured with the right address for PCP to work. In some
413        environments the staff managing the DHCP servers may not be the same
414        staff managing the NAT gateways, and in any case, constantly keeping the
415        DHCP server address information up to date as NAT gateways are added,
416        removed, or reconfigured, is burdensome.</t>
417
418        <t>Another drawback of relying on DHCP for configuration is that at
419        least one significant target deployment environments for PCP -- namely
420        3GPP for mobile telephones -- does not use DHCP.</t>
421        <t>There are two problems with DHCP Options: DHCP Server on Home
422        Gateways (HGW) and Operating Systems DHCP clients</t>
423
424        <t>Currently what the HGW does with the options it receives from the
425        ISP is not standardized in any general way. As a matter of practice,
426        the HGW is most likely to use its own customer-LAN-facing IP address
427        for the DNS server address. As for other options, it's free to offer
428        the same values to the client, offer no value at all, or offer its own
429        IP address if that makes sense, as it does (sort of) for DNS.</t>
430
431        <t>In scenarios where PCP Server resides on ISP network and is
432        intended to work with arbitrary home gateways that don't know they are
433        being used in a PCP context, that won't work, because there's no
434        reason to think that the HGW will even request the option from the
435        DHCP server, much less offer the value it gets from the server on the
436        customer-facing LAN. There is work on the DHC WG to overcome some of
437        these limitations <xref target="I-D.ietf-dhc-container-opt"/> but in
438        terms of deployment it also needs HGW to be upgraded.</t>
439
440        <t>The problems with Operating Systems is that even if DHCP PCP Option
441        were made available to customer-facing LAN, host stack DHCP
442        enhancements are required to process or request new DHCP PCP option.
443        One exception is Windows <xref target="DhcpRequestParams"/></t>
444
445        <t>Finally, in the case of IPv6 there are networks where there is
446        DHCPv6 infrastructure at all or some hosts do not have a DHCPv6
447        client.</t>
448      </section>
449
450
451      <section anchor="user_input" title="User Input">
452        <t>A regular subscriber can not be expected to input IP address of PCP
453        Server or network domain name. Moreover, user can be at a Wi-Fi
454        hotspot, Hotel or related. Therefore relying on user input is not
455        reliable.</t>
456      </section>
457
458      <section anchor="dns_based" title="Domain Name System Based ">
459        <t>There are three separate category of problems with NAPTR <xref
460        target="RFC3958"/> <list style="numbers">
461            <t>End Points: It relies on PCP client determining the domain name
462            and supporting certain DNS queries</t>
463
464            <t>DNS Servers: DNS server need to be provisioned with the
465            necessary records</t>
466
467            <t>CPEs: CPEs might interfere with DNS queries and the DHCP domain
468            name option conveyed by ISP that could be used to bootstrap NAPTR
469            might not be relayed to home network.</t>
470          </list></t>
471      </section>
472
473      <section anchor="port_based" title="Addressing only based on Destination Port">
474        <t>One design option that was considered for Apple's NAT gateways was to
475        have the NAT gateway simply handle and respond to all packets addressed
476        to UDP port 5351, regardless of the destination address in the packet.
477        Since the device is a NAT gateway, it already examines every packet in
478        order to rewrite port numbers, so also detecting packets addressed to
479        UDP port 5351 is not a significant additional burden. Also, since this
480        device is a NAT gateway which rewrites port numbers, any attempt by a
481        client to talk *though* this first NAT gateway to create mappings in
482        some second upstream NAT gateway is futile and pointless. Any mappings
483        created in the second NAT gateway are useful to the client only if there
484        are also corresponding mappings created in the first NAT gateway.
485        Consequently, there is no case where it is useful for PCP requests to
486        pass transparently through the first PCP-aware NAT gateway on their way
487        to the second PCP-aware NAT gateway. In all cases, for useful
488        connectivity to be established, the PCP request must be handled by the
489        first NAT gateway, and then the first NAT gateway generates a
490        corresponding new upstream request to establish a mapping in the second
491        NAT gateway. (This process can be repeated recursively for as many times
492        as necessary for the depth of nesting of NAT gateways; this is
493        transparent to the client device.)</t>
494      </section>
495    </section>
496
497    <section anchor="appendix_anycast_discussion"
498             title="Discussion of IP Anycast Address usage for PCP">
499      <section title="Motivation">
500        <t>The two issues identified in <xref target="port_based"/>
501        result in the following related observations: the
502        PCP client may not *know* what destination address to use in its PCP
503        request packets; the PCP server doesn't *care* what destination address
504        is in the PCP request packets.</t>
505
506        <t>Given that the devices neither need to know nor care what destination
507        address goes in the packet, all we need to do is pick one and use it.
508        It's little more than a placeholder in the IP header. Any globally
509        routable unicast address will do. Since this address is one that
510        automatically routes its packet to the closest on-path device that
511        implements the desired functionality, it is an anycast address.</t>
512      </section>
513      <section title="Scenarios">
514        <t>In the simple case where the first-hop router is also the NAT gateway
515        (as is common in a typical single-link residential network), sending to
516        the PCP anycast address is equivalent to sending to the client's default
517        router, as specified in <xref target="RFC6887">the PCP base
518        document</xref>.</t>
519
520        <t>In the case of a larger corporate network, where there may be several
521        internal routed subnets and one or more border NAT gateway(s) connecting
522        to the rest of the Internet, sending to the PCP anycast address has the
523        interesting property that it magically finds the right border NAT
524        gateway for that client. Since we posit that other network
525        infrastructure does not need (and should not have) any special knowledge
526        of PCP (or its anycast address) this means that to other non-NAT
527        routers, the PCP anycast address will look like any other unicast
528        destination address on the public Internet, and consequently the packet
529        will be forwarded as for any other packet destined to the public
530        Internet, until it reaches a NAT or firewall device that is aware of the
531        PCP anycast address. This will result in the packet naturally arriving
532        the NAT gateway that handles this client's outbound traffic destined to
533        the public Internet, which is exactly the NAT gateway that the client
534        wishes to communicate with when managing its port mappings.</t>
535      </section>
536
537      <section anchor="history" title="Historical Objections to Anycast">
538        <t>In March 2001 a draft document entitled <xref
539        target="DNSDisc">"Analysis of DNS Server Discovery Mechanisms for
540        IPv6"</xref> proposed using anycast to discover DNS servers, a proposal
541        that was subsequently abandoned in later revisions of that draft
542        document.</t>
543   
544        <t>There are legitimate reasons why using anycast to discover DNS
545        servers is not compelling, mainly because it requires explicit
546        configuration of routing tables to direct those anycast packets to the
547        desired DNS server. However, DNS server discovery is very different to
548        NAT gateway discovery. A DNS server is something a client explicitly
549        talks to, via IP address. The DNS server may be literally anywhere on
550        the Internet. Various reasons make anycast an uncompelling technique for
551        DNS server discovery: <list style="symbols">
552            <t>DNS is a pure application-layer protocol, running over UDP.</t>
553   
554            <t>On an operating system without appropriate support for
555            configuring anycast addresses, a DNS server would have to use
556            something like Berkeley Packet Filter (BPF) to snoop on received
557            packets to intercept DNS requests, which is inelegant and
558            inefficient.</t>
559   
560            <t>Without appropriate routing changes elsewhere in the network,
561            there's no reason to assume that packets sent to that anycast
562            address would even make it to the desired DNS server machine. This
563            places an addition configuration burden on the network
564            administrators, to install appropriate routing table entries to
565            direct packets to the desired DNS server machine.</t>
566          </list></t>
567   
568        <t>In contrast, a NAT gateway is something a client's packets stumble
569        across as they try to leave the local network and head out onto the
570        public Internet. The NAT gateway has to be on the path those packets
571        naturally take or it can't perform its NAT functions. As a result, the
572        objections to using anycast for DNS server discovery do not apply to
573        PCP: <list style="symbols">
574            <t>No routing changes are needed (or desired) elsewhere in the local
575            network, because the whole *point* of using anycast is that we want
576            the client's PCP request packet to take the same forwarding path
577            through the network as a TCP SYN to any other remote destination
578            address, because we want the *same* NAT gateway that would have made
579            a mapping in response to receiving an outbound TCP SYN packet from
580            the client to be the the one that makes a mapping in response to
581            receiving a PCP request packet from the client.</t>
582   
583            <t>A NAT engine is already snooping on (and rewriting) every packet
584            it forwards. As part of that snooping it could trivially look for
585            packets addressed to the PCP UDP port and process them locally (just
586            like the local processing it already does when it sees an outbound
587            TCP SYN packet).</t>
588          </list></t>
589      </section>
590    </section>
591
592  </back>
593</rfc>
Note: See TracBrowser for help on using the repository browser.