Context Navigation

source: draft-cheshire-pcp-anycast/draft-ietf-pcp-anycast.xml @ 355

Last change on this file since 355 was 355, checked in by ietf-pcp@…, 8 years ago
s/external/internal/
File size: 25.8 KB

Line
1	<?xml version="1.0" encoding="US-ASCII"?>
2	<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
3	<?rfc toc="yes"?>
4	<?rfc tocompact="yes"?>
5	<?rfc tocdepth="3"?>
6	<?rfc tocindent="yes"?>
7	<?rfc symrefs="yes"?>
8	<?rfc sortrefs="yes"?>
9	<?rfc comments="yes"?>
10	<?rfc inline="yes"?>
11	<?rfc compact="no"?>
12	<?rfc subcompact="no"?>
13	<rfc category="std" docName="draft-ietf-pcp-anycast-02" ipr="trust200902">
14	<front>
15	<title abbrev="PCP Anycast Address">PCP Anycast Address</title>
16
17	<author fullname="Sebastian Kiesel" initials="S." surname="Kiesel">
18	<organization abbrev="University of Stuttgart">University of Stuttgart
19	Information Center</organization>
20
21	<address>
22	<postal>
23	<street>Networks and Communication Systems Department</street>
24	<street>Allmandring 30</street>
25
26	<city>Stuttgart</city>
27
28	<code>70550</code>
29
30	<country>Germany</country>
31	</postal>
32
33	<email>ietf-pcp@skiesel.de</email>
34	</address>
35	</author>
36
37	<author fullname="Reinaldo Penno" initials="R." surname="Penno">
38	<organization>Cisco Systems, Inc.</organization>
39
40	<address>
41	<postal>
42	<street/>
43
44	<city>San Jose</city>
45
46	<region>CA</region>
47
48	<code/>
49
50	<country>US</country>
51	</postal>
52
53	<phone/>
54
55	<facsimile/>
56
57	<email>repenno@cisco.com</email>
58
59	<uri/>
60	</address>
61	</author>
62
63	<author fullname="Stuart Cheshire" initials="S." surname="Cheshire">
64	<organization abbrev="Apple">Apple Inc.</organization>
65
66	<address>
67	<postal>
68	<street>1 Infinite Loop</street>
69
70	<city>Cupertino</city>
71
72	<region>California</region>
73
74	<code>95014</code>
75
76	<country>USA</country>
77	</postal>
78
79	<phone>+1 408 974 3207</phone>
80
81	<email>cheshire@apple.com</email>
82	</address>
83	</author>
84
85
86	<date year="2014"/>
87
88	<workgroup>PCP working group</workgroup>
89
90	<abstract>
91	<t>The Port Control Protocol (PCP) Anycast Address enables PCP clients to
92	transmit signaling messages to their closest on-path NAT, Firewall, or other
93	middlebox, without having to learn the IP address of that middlebox via
94	some external channel. This document establishes one well-known
95	IPv4 address and one well-known IPv6 address to be used as
96	PCP Anycast Address.</t>
97	</abstract>
98	</front>
99
100	<middle>
101	<section anchor="intro" title="Introduction">
102
103	<t>The Port Control Protocol (PCP) <xref target="RFC6887"/>
104	provides a mechanism to control how
105	incoming packets are forwarded by upstream devices such as Network
106	Address Translator IPv6/IPv4 (NAT64), Network Address Translator
107	IPv4/IPv4 (NAT44), IPv6 and IPv4 firewall devices, and a mechanism to
108	reduce application keep alive traffic.</t>
109
110	<t>The PCP document <xref target="RFC6887"/>
111	specifies the message formats used, but the address to which a client
112	sends its request is either assumed to be the default router (which is
113	appropriate in a typical single-link residential network) or has to be
114	configured otherwise via some external mechanism, such as DHCP.
115	The properties and drawbacks of various mechanisms are discussed in
116	<xref target="appendix-alternatives"/>.</t>
117
118	<t>This document follows a different approach: it establishes a
119	well-known anycast address for the PCP Server.
120	PCP clients are expected to send requests to this
121	address during the PCP Server discovery process. A PCP Server configured
122	with the anycast address could optionally redirect or return a list of
123	unicast PCP Servers to the client. For a more extensive discussion
124	on anycasting see <xref target="appendix_anycast_discussion"/>.</t>
125
126	<t>The benefit of using an anycast address is simplicity and
127	reliability. In an example deployment scenario: <list style="numbers">
128	<t>A network administrator installs a PCP-capable NAT.</t>
129
130	<t>An end user (who may be the same person) runs a PCP-enabled
131	application. This application can implement PCP with purely
132	user-level code -- no operating system support is required.</t>
133
134	<t>This PCP-enabled application sends its PCP request to the PCP
135	anycast address. This packet travels through the network like any
136	other, without any special support from DNS, DHCP, other routers, or
137	anything else, until it reaches the PCP-capable NAT, which receives
138	it, handles it, and sends back a reply.</t>
139	</list> Using the PCP anycast address, the only two things that need
140	to be deployed in the network are the two things that actually use PCP:
141	The PCP-capable NAT, and the PCP-enabled application. Nothing else in
142	the network needs to be changed or upgraded, and nothing needs to be
143	configured, including the PCP client.</t>
144
145	</section>
146
147
148
149	<section anchor="spec"
150	title="PCP Server Discovery based on well-known IP Address">
151	<section title="PCP Discovery Client behavior">
152	<t>PCP Clients that need to discover PCP servers SHOULD first send a
153	PCP request to the configured PCP server or to the default router,
154	as described in Section 8.1 of <xref target="RFC6887"/>. However,
155	differing from Section 8.1.1 of <xref target="RFC6887"/>, MRC
156	(Maximum Retransmission Count) is set to 4. Trying the configured
157	PCP server or the default router first is important because in the
158	case of cascaded PCP Servers, all of them need to be discovered in
159	order of hop distance from the client. </t>
160
161	<t>If contacting the configured PCP server or the default router
162	does not succeed with this first approach, the PCP client
163	re-initializes RT based on IRT, and
164	it resets MRC to its "normal" value (0 unless a different value is
165	requested by the application), as described in Section 8.1.1 of
166	<xref target="RFC6887"/>.
167	Then, the PCP client repeatedly transmits a message to the
168	configured PCP server or the default router, waits RT, transmits a
169	message to the anycast address, waits RT, recalculates RT as specified
170	in Section 8.1.1 of <xref target="RFC6887"/>, and starts again
171	with a retransmission to the configured PCP server or the default
172	router. This procedure continues until a reply is received or
173	or the PCP client is no longer interested in the PCP transaction
174	or the message exchange is considered to have failed according to
175	MRC/MRD.</t>
176
177	<t>The PCP client SHOULD select the PCP anycast address to be of the
178	same IP address family as its requested PCP mapping, i.e., the
179	address family of the Requested Internal IP Address.</t>
180
181	</section>
182
183	<section title="PCP Discovery Server behavior">
184	<t>A PCP Server can be configured to listen on the anycast address for
185	incoming PCP requests.</t>
186
187	<t>PCP responses are sent from that same IANA-assigned address (see
188	Page 5 of <xref target="RFC1546"/>).</t>
189	</section>
190	</section>
191
192	<section title="Deployment Considerations">
193	<t>There are known limitations when there is more than one
194	PCP server and asymmetric routing, or similar scenarios.
195	Mechanisms to deal with those situations, such as state
196	synchronization between PCP servers, are beyond
197	the scope of this document.</t>
198
199	<t>For general recommendations regarding operation of
200	anycast services see <xref target="RFC4786"/>.</t>
201
202	</section>
203
204	<section title="IANA Considerations">
205	<section title="Registration of IPv4 Special Purpose Address">
206	<t>IANA is requested to register a single IPv4 address in the IANA
207	IPv4 Special Purpose Address Registry <xref target="RFC5736"/>.</t>
208
209	<t><xref target="RFC5736"/> itemizes some information to be recorded
210	for all designations: <list style="hanging">
211	<t>1. The designated address prefix.</t>
212
213	<t>Prefix: TBD by IANA. Prefix length: /32</t>
214
215	<t>2. The RFC that called for the IANA address designation.</t>
216
217	<t>This document.</t>
218
219	<t>3. The date the designation was made.</t>
220
221	<t>TBD.</t>
222
223	<t>4. The date the use designation is to be terminated (if
224	specified as a limited-use designation).</t>
225
226	<t>Unlimited. No termination date.</t>
227
228	<t>5. The nature of the purpose of the designated address (e.g.,
229	unicast experiment or protocol service anycast).</t>
230
231	<t>protocol service anycast.</t>
232
233	<t>6. For experimental unicast applications and otherwise as
234	appropriate, the registry will also identify the entity and
235	related contact details to whom the address designation has been
236	made.</t>
237
238	<t>N/A.</t>
239
240	<t>7. The registry will also note, for each designation, the
241	intended routing scope of the address, indicating whether the
242	address is intended to be routable only in scoped, local, or
243	private contexts, or whether the address prefix is intended to be
244	routed globally.</t>
245
246	<t>Typically used within a network operator's network domain, but
247	in principle globally routable.</t>
248
249	<t>8. The date in the IANA registry is the date of the IANA
250	action, i.e., the day IANA records the allocation.</t>
251
252	<t>TBD.</t>
253	</list></t>
254	</section>
255
256	<section title="Registration of IPv6 Special Purpose Address">
257	<t>IANA is requested to register a single IPv6 address in the IANA
258	IPv6 Special Purpose Address Block <xref target="RFC4773"/>.</t>
259
260	<t><xref target="RFC4773"/> itemizes some information to be recorded
261	for all designations: <list style="hanging">
262	<t>1. The designated address prefix.</t>
263
264	<t>Prefix: TBD by IANA. Prefix length: /128</t>
265
266	<t>2. The RFC that called for the IANA address designation.</t>
267
268	<t>This document.</t>
269
270	<t>3. The date the designation was made.</t>
271
272	<t>TBD.</t>
273
274	<t>4. The date the use designation is to be terminated (if
275	specified as a limited-use designation).</t>
276
277	<t>Unlimited. No termination date.</t>
278
279	<t>5. The nature of the purpose of the designated address (e.g.,
280	unicast experiment or protocol service anycast).</t>
281
282	<t>protocol service anycast.</t>
283
284	<t>6. For experimental unicast applications and otherwise as
285	appropriate, the registry will also identify the entity and
286	related contact details to whom the address designation has been
287	made.</t>
288
289	<t>N/A.</t>
290
291	<t>7. The registry will also note, for each designation, the
292	intended routing scope of the address, indicating whether the
293	address is intended to be routable only in scoped, local, or
294	private contexts, or whether the address prefix is intended to be
295	routed globally.</t>
296
297	<t>Typically used within a network operator's network domain, but
298	in principle globally routable.</t>
299
300	<t>8. The date in the IANA registry is the date of the IANA
301	action, i.e., the day IANA records the allocation.</t>
302
303	<t>TBD.</t>
304	</list></t>
305	</section>
306
307	</section>
308
309	<section anchor="security" title="Security Considerations">
310	<t>In a network without any border gateway, NAT or firewall that is
311	aware of the PCP anycast address, outgoing PCP requests could leak out
312	onto the external Internet, possibly revealing information about
313	internal devices.</t>
314
315	<t>Using an IANA-assigned well-known PCP anycast address enables border
316	gateways to block such outgoing packets. In the default-free zone,
317	routers should be configured to drop such packets. Such configuration
318	can occur naturally via BGP messages advertising that no route exists to
319	said address.</t>
320
321	<t>Sensitive clients that do not wish to leak information about their
322	presesence can set an IP TTL on their PCP requests that limits how far
323	they can travel into the public Internet.</t>
324	</section>
325	</middle>
326
327	<back>
328	<?rfc needLines="6" ?>
329
330	<references title="Normative References">
331	<?rfc include="reference.RFC.1546"?>
332
333	<!-- <?rfc include="reference.RFC.2119"?> -->
334
335	<?rfc include="reference.RFC.3958"?>
336
337	<?rfc include="reference.RFC.4773"?>
338
339	<?rfc include="reference.RFC.5736"?>
340
341	<?rfc include="reference.RFC.6887"?>
342
343	</references>
344
345	<references title="Informative References">
346	<?rfc include="reference.RFC.4786"?>
347	<?rfc include="reference.I-D.chen-pcp-mobile-deployment"?>
348	<?rfc include="reference.I-D.ietf-pcp-dhcp"?>
349
350	<?rfc include="reference.I-D.ietf-dhc-container-opt"?>
351
352	<reference anchor="DhcpRequestParams"
353	target="http://msdn.microsoft.com/en-us/library/windows/desktop/aa363298%28v=vs.85%29.aspx">
354	<front>
355	<title>OpenFlow Switch Specification</title>
356
357	<author fullname="OpenFlow" surname="OpenFlow">
358	<organization>OpenFlow</organization>
359	</author>
360
361	<date month="February" year="2011"/>
362	</front>
363	</reference>
364
365	<reference anchor="DNSDisc">
366	<front>
367	<title>Analysis of DNS Server Discovery Mechanisms for IPv6</title>
368
369	<author fullname="Jun-ichiro Hagino" initials="J" surname="Hagino">
370	<organization/>
371	</author>
372
373	<author fullname="Dave Thaler" initials="D" surname="Thaler">
374	<organization/>
375	</author>
376
377	<date day="27" month="November" year="2001"/>
378	</front>
379
380	<seriesInfo name="Internet-Draft"
381	value="draft-ietf-ipngwg-dns-discovery-01"/>
382
383	<format target="http://tools.ietf.org/id/draft-ietf-ipngwg-dns-discovery-01.txt"
384	type="TXT"/>
385	</reference>
386	</references>
387
388
389
390	<section anchor="appendix-alternatives" title="Discussion of other PCP Discovery methods">
391	<t>Several algorithms have been specified that allows PCP Client to
392	discover the PCP Servers on a network . However, each of this approaches
393	has technical or operational issues that will hinder the fast deployment
394	of PCP.</t>
395
396	<section anchor="default_router" title="Default Router">
397	<t>The PCP specification allows one mode of operation in which the
398	PCP client sends its requests to the default router. This approach
399	is appropriate in a typical single-link residential network but
400	has limitations in more complex network topologies.</t>
401
402	<t>If PCP server does not reside in first hop router, whether because
403	subscriber has a existing home router or in the case of Wireless
404	Networks (3G, LTE) <xref target="I-D.chen-pcp-mobile-deployment"/>,
405	trying to send a request to default router will not work.</t>
406	</section>
407
408	<section anchor="dhcp_option" title="DHCP PCP Options">
409	<t>One general drawback of relying on external configuration mechanisms,
410	such as DHCP <xref target="I-D.ietf-pcp-dhcp"/>, is that it creates
411	an external dependency on another piece of network infrastructure which
412	must be configured with the right address for PCP to work. In some
413	environments the staff managing the DHCP servers may not be the same
414	staff managing the NAT gateways, and in any case, constantly keeping the
415	DHCP server address information up to date as NAT gateways are added,
416	removed, or reconfigured, is burdensome.</t>
417
418	<t>Another drawback of relying on DHCP for configuration is that at
419	least one significant target deployment environments for PCP -- namely
420	3GPP for mobile telephones -- does not use DHCP.</t>
421	<t>There are two problems with DHCP Options: DHCP Server on Home
422	Gateways (HGW) and Operating Systems DHCP clients</t>
423
424	<t>Currently what the HGW does with the options it receives from the
425	ISP is not standardized in any general way. As a matter of practice,
426	the HGW is most likely to use its own customer-LAN-facing IP address
427	for the DNS server address. As for other options, it's free to offer
428	the same values to the client, offer no value at all, or offer its own
429	IP address if that makes sense, as it does (sort of) for DNS.</t>
430
431	<t>In scenarios where PCP Server resides on ISP network and is
432	intended to work with arbitrary home gateways that don't know they are
433	being used in a PCP context, that won't work, because there's no
434	reason to think that the HGW will even request the option from the
435	DHCP server, much less offer the value it gets from the server on the
436	customer-facing LAN. There is work on the DHC WG to overcome some of
437	these limitations <xref target="I-D.ietf-dhc-container-opt"/> but in
438	terms of deployment it also needs HGW to be upgraded.</t>
439
440	<t>The problems with Operating Systems is that even if DHCP PCP Option
441	were made available to customer-facing LAN, host stack DHCP
442	enhancements are required to process or request new DHCP PCP option.
443	One exception is Windows <xref target="DhcpRequestParams"/></t>
444
445	<t>Finally, in the case of IPv6 there are networks where there is
446	DHCPv6 infrastructure at all or some hosts do not have a DHCPv6
447	client.</t>
448	</section>
449
450
451	<section anchor="user_input" title="User Input">
452	<t>A regular subscriber can not be expected to input IP address of PCP
453	Server or network domain name. Moreover, user can be at a Wi-Fi
454	hotspot, Hotel or related. Therefore relying on user input is not
455	reliable.</t>
456	</section>
457
458	<section anchor="dns_based" title="Domain Name System Based ">
459	<t>There are three separate category of problems with NAPTR <xref
460	target="RFC3958"/> <list style="numbers">
461	<t>End Points: It relies on PCP client determining the domain name
462	and supporting certain DNS queries</t>
463
464	<t>DNS Servers: DNS server need to be provisioned with the
465	necessary records</t>
466
467	<t>CPEs: CPEs might interfere with DNS queries and the DHCP domain
468	name option conveyed by ISP that could be used to bootstrap NAPTR
469	might not be relayed to home network.</t>
470	</list></t>
471	</section>
472
473	<section anchor="port_based" title="Addressing only based on Destination Port">
474	<t>One design option that was considered for Apple's NAT gateways was to
475	have the NAT gateway simply handle and respond to all packets addressed
476	to UDP port 5351, regardless of the destination address in the packet.
477	Since the device is a NAT gateway, it already examines every packet in
478	order to rewrite port numbers, so also detecting packets addressed to
479	UDP port 5351 is not a significant additional burden. Also, since this
480	device is a NAT gateway which rewrites port numbers, any attempt by a
481	client to talk though this first NAT gateway to create mappings in
482	some second upstream NAT gateway is futile and pointless. Any mappings
483	created in the second NAT gateway are useful to the client only if there
484	are also corresponding mappings created in the first NAT gateway.
485	Consequently, there is no case where it is useful for PCP requests to
486	pass transparently through the first PCP-aware NAT gateway on their way
487	to the second PCP-aware NAT gateway. In all cases, for useful
488	connectivity to be established, the PCP request must be handled by the
489	first NAT gateway, and then the first NAT gateway generates a
490	corresponding new upstream request to establish a mapping in the second
491	NAT gateway. (This process can be repeated recursively for as many times
492	as necessary for the depth of nesting of NAT gateways; this is
493	transparent to the client device.)</t>
494	</section>
495	</section>
496
497	<section anchor="appendix_anycast_discussion"
498	title="Discussion of IP Anycast Address usage for PCP">
499	<section title="Motivation">
500	<t>The two issues identified in <xref target="port_based"/>
501	result in the following related observations: the
502	PCP client may not know what destination address to use in its PCP
503	request packets; the PCP server doesn't care what destination address
504	is in the PCP request packets.</t>
505
506	<t>Given that the devices neither need to know nor care what destination
507	address goes in the packet, all we need to do is pick one and use it.
508	It's little more than a placeholder in the IP header. Any globally
509	routable unicast address will do. Since this address is one that
510	automatically routes its packet to the closest on-path device that
511	implements the desired functionality, it is an anycast address.</t>
512	</section>
513	<section title="Scenarios">
514	<t>In the simple case where the first-hop router is also the NAT gateway
515	(as is common in a typical single-link residential network), sending to
516	the PCP anycast address is equivalent to sending to the client's default
517	router, as specified in <xref target="RFC6887">the PCP base
518	document</xref>.</t>
519
520	<t>In the case of a larger corporate network, where there may be several
521	internal routed subnets and one or more border NAT gateway(s) connecting
522	to the rest of the Internet, sending to the PCP anycast address has the
523	interesting property that it magically finds the right border NAT
524	gateway for that client. Since we posit that other network
525	infrastructure does not need (and should not have) any special knowledge
526	of PCP (or its anycast address) this means that to other non-NAT
527	routers, the PCP anycast address will look like any other unicast
528	destination address on the public Internet, and consequently the packet
529	will be forwarded as for any other packet destined to the public
530	Internet, until it reaches a NAT or firewall device that is aware of the
531	PCP anycast address. This will result in the packet naturally arriving
532	the NAT gateway that handles this client's outbound traffic destined to
533	the public Internet, which is exactly the NAT gateway that the client
534	wishes to communicate with when managing its port mappings.</t>
535	</section>
536
537	<section anchor="history" title="Historical Objections to Anycast">
538	<t>In March 2001 a draft document entitled <xref
539	target="DNSDisc">"Analysis of DNS Server Discovery Mechanisms for
540	IPv6"</xref> proposed using anycast to discover DNS servers, a proposal
541	that was subsequently abandoned in later revisions of that draft
542	document.</t>
543
544	<t>There are legitimate reasons why using anycast to discover DNS
545	servers is not compelling, mainly because it requires explicit
546	configuration of routing tables to direct those anycast packets to the
547	desired DNS server. However, DNS server discovery is very different to
548	NAT gateway discovery. A DNS server is something a client explicitly
549	talks to, via IP address. The DNS server may be literally anywhere on
550	the Internet. Various reasons make anycast an uncompelling technique for
551	DNS server discovery: <list style="symbols">
552	<t>DNS is a pure application-layer protocol, running over UDP.</t>
553
554	<t>On an operating system without appropriate support for
555	configuring anycast addresses, a DNS server would have to use
556	something like Berkeley Packet Filter (BPF) to snoop on received
557	packets to intercept DNS requests, which is inelegant and
558	inefficient.</t>
559
560	<t>Without appropriate routing changes elsewhere in the network,
561	there's no reason to assume that packets sent to that anycast
562	address would even make it to the desired DNS server machine. This
563	places an addition configuration burden on the network
564	administrators, to install appropriate routing table entries to
565	direct packets to the desired DNS server machine.</t>
566	</list></t>
567
568	<t>In contrast, a NAT gateway is something a client's packets stumble
569	across as they try to leave the local network and head out onto the
570	public Internet. The NAT gateway has to be on the path those packets
571	naturally take or it can't perform its NAT functions. As a result, the
572	objections to using anycast for DNS server discovery do not apply to
573	PCP: <list style="symbols">
574	<t>No routing changes are needed (or desired) elsewhere in the local
575	network, because the whole point of using anycast is that we want
576	the client's PCP request packet to take the same forwarding path
577	through the network as a TCP SYN to any other remote destination
578	address, because we want the same NAT gateway that would have made
579	a mapping in response to receiving an outbound TCP SYN packet from
580	the client to be the the one that makes a mapping in response to
581	receiving a PCP request packet from the client.</t>
582
583	<t>A NAT engine is already snooping on (and rewriting) every packet
584	it forwards. As part of that snooping it could trivially look for
585	packets addressed to the PCP UDP port and process them locally (just
586	like the local processing it already does when it sees an outbound
587	TCP SYN packet).</t>
588	</list></t>
589	</section>
590	</section>
591
592	</back>
593	</rfc>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: