Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7597

Mapping of Address and Port with Encapsulation (MAP-E)

Pages: 35
Proposed Standard
Part 2 of 2 – Pages 17 to 35
First   Prev   None

Top   ToC   RFC7597 - Page 17   prevText

8. Forwarding Considerations

Figure 1 depicts the overall MAP architecture with IPv4 users connected to a routed IPv6 network. MAP uses encapsulation mode as specified in [RFC2473]. For a shared IPv4 address, a MAP CE forwarding IPv4 packets from the LAN performs NAT44 functions first and creates appropriate NAT44 bindings. The resulting IPv4 packets MUST contain the source IPv4 address and source transport identifiers specified by the MAP provisioning parameters. The IPv4 packet is forwarded using the CE's MAP forwarding function. The IPv6 source and destination addresses MUST then be derived as per Section 5 of this document.

8.1. Receiving Rules

A MAP CE receiving an IPv6 packet to its MAP IPv6 address sends this packet to the CE's MAP function, where it is decapsulated. The resulting IPv4 packet is then forwarded to the CE's NAT44 function, where it is handled according to the NAT's translation table. A MAP BR receiving IPv6 packets selects a best matching MAP domain rule (Rule IPv6 prefix) based on a longest address match of the packet's IPv6 source address, as well as a match of the packet destination address against the configured BR IPv6 address(es). The selected MAP Rule allows the BR to determine the EA-bits from the source IPv6 address. To prevent spoofing of IPv4 addresses, any MAP node (CE and BR) MUST perform the following validation upon reception of a packet. First, the embedded IPv4 address or prefix, as well as the PSID (if any), are extracted from the source IPv6 address using the matching MAP Rule. These represent the range of what is acceptable as source IPv4 address and port. Second, the node extracts the source IPv4 address and port from the IPv4 packet encapsulated inside the IPv6 packet. If they are found to be outside the acceptable range, the packet MUST be silently discarded and a counter incremented to indicate that a potential spoofing attack may be underway. The source validation checks just described are not done for packets whose source IPv6 address is that of the BR (BR IPv6 address). By default, the CE router MUST drop packets received on the MAP virtual interface (i.e., after decapsulation of IPv6) for IPv4 destinations not for its own IPv4 shared address, full IPv4 address, or IPv4 prefix.
Top   ToC   RFC7597 - Page 18

8.2. ICMP

ICMP messages should be supported in MAP domains. Hence, the NAT44 in the MAP CE MUST implement the behavior for ICMP messages conforming to the best current practice documented in [RFC5508]. If a MAP CE receives an ICMP message having the ICMP Identifier field in the ICMP header, the NAT44 in the MAP CE MUST rewrite this field to a specific value assigned from the port set. BRs and other CEs must handle this field in a way similar to the handling of a port number in the TCP/UDP header upon receiving the ICMP message with the ICMP Identifier field. If a MAP node receives an ICMP error message without the ICMP Identifier field for errors that are detected inside an IPv6 tunnel, a node should relay the ICMP error message to the original source. This behavior SHOULD be implemented in accordance with Section 8 of [RFC2473].

8.3. Fragmentation and Path MTU Discovery

Due to the different sizes of the IPv4 and IPv6 headers, handling the maximum packet size is relevant for the operation of any system connecting the two address families. There are three mechanisms to handle this issue: Path MTU Discovery (PMTUD), fragmentation, and transport-layer negotiation such as the TCP Maximum Segment Size (MSS) option [RFC879]. MAP uses all three mechanisms to deal with different cases.

8.3.1. Fragmentation in the MAP Domain

Encapsulating an IPv4 packet to carry it across the MAP domain will increase its size (typically by 40 bytes). It is strongly recommended that the MTU in the MAP domain be well managed and that the IPv6 MTU on the CE WAN-side interface be set so that no fragmentation occurs within the boundary of the MAP domain. For an IPv4 packet entering a MAP domain, fragmentation is performed as described in Section 7.2 of [RFC2473]. The use of an anycast source address could lead to an ICMP error message generated on the path being sent to a different BR. Therefore, using a dynamically set tunnel MTU (Section 6.7 of [RFC2473]) is subject to IPv6 Path MTU black holes. A MAP BR using an anycast source address SHOULD NOT by default use Path MTU Discovery across the MAP domain.
Top   ToC   RFC7597 - Page 19
   Multiple BRs using the same anycast source address could send
   fragmented packets to the same CE at the same time.  If the
   fragmented packets from different BRs happen to use the same
   fragment ID, incorrect reassembly might occur.  See [RFC4459] for an
   analysis of the problem; Section 3.4 of [RFC4459] suggests solving
   the problem by fragmenting the inner packet.

8.3.2. Receiving IPv4 Fragments on the MAP Domain Borders

The forwarding of an IPv4 packet received from outside of the MAP domain requires the IPv4 destination address and the transport-protocol destination port. The transport-protocol information is only available in the first fragment received. As described in Section 5.3.3 of [RFC6346], a MAP node receiving an IPv4 fragmented packet from outside has to reassemble the packet before sending the packet onto the MAP link. If the first packet received contains the transport-protocol information, it is possible to optimize this behavior by using a cache and forwarding the fragments unchanged. Implementers of MAP should be aware that there are a number of well-known attacks against IP fragmentation; see [RFC1858] and [RFC3128]. Implementers should also be aware of additional issues with reassembling packets at high rates, as described in [RFC4963].

8.3.3. Sending IPv4 Fragments to the Outside

If two IPv4 hosts behind two different MAP CEs with the same IPv4 address send fragments to an IPv4 destination host outside the domain, those hosts may use the same IPv4 fragmentation identifier, resulting in incorrect reassembly of the fragments at the destination host. Given that the IPv4 fragmentation identifier is a 16-bit field, it could be used similarly to port ranges. A MAP CE could rewrite the IPv4 fragmentation identifier to be within its allocated port set, if the resulting fragment identifier space was large enough related to the rate at which fragments were sent. However, splitting the identifier space in this fashion would increase the probability of reassembly collisions for all connections through the Customer Premises Equipment (CPE). See also [RFC6864].

9. NAT44 Considerations

The NAT44 implemented in the MAP CE SHOULD conform to the behavior and best current practices documented in [RFC4787], [RFC5508], and [RFC5382]. In MAP address-sharing mode (determined by the MAP domain / rule configuration parameters), the operation of the NAT44 MUST be restricted to the available port numbers derived via the Basic Mapping Rule.
Top   ToC   RFC7597 - Page 20

10. Security Considerations

Spoofing attacks: With consistency checks between IPv4 and IPv6 sources that are performed on IPv4/IPv6 packets received by MAP nodes, MAP does not introduce any new opportunity for spoofing attacks that would not already exist in IPv6. Denial-of-service attacks: In MAP domains where IPv4 addresses are shared, the fact that IPv4 datagram reassembly may be necessary introduces an opportunity for DoS attacks. This is inherent in address sharing and is common with other address-sharing approaches such as DS-Lite and NAT64/DNS64. The best protection against such attacks is to accelerate IPv6 deployment so that address sharing is used less and less where MAP is supported. Routing loop attacks: Routing loop attacks may exist in some "automatic tunneling" scenarios and are documented in [RFC6324]. They cannot exist with MAP because each BR checks that the IPv6 source address of a received IPv6 packet is a CE address based on the Forwarding Mapping Rule. Attacks facilitated by restricted port set: From hosts that are not subject to ingress filtering [RFC2827], an attacker can inject spoofed packets during ongoing transport connections [RFC4953] [RFC5961] [RFC6056]. The attacks depend on guessing which ports are currently used by target hosts. Using an unrestricted port set is preferable, i.e., using native IPv6 connections that are not subject to MAP port-range restrictions. To minimize these types of attacks when using a restricted port set, the MAP CE's NAT44 filtering behavior SHOULD be "Address-Dependent Filtering" as described in Section 5 of [RFC4787]. Furthermore, the MAP CEs SHOULD use a DNS transport proxy [RFC5625] function to handle DNS traffic and source such traffic from IPv6 interfaces not assigned to MAP. [RFC6269] outlines general issues with IPv4 address sharing.
Top   ToC   RFC7597 - Page 21

11. References

11.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, December 1998, <http://www.rfc-editor.org/info/rfc2473>. [RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines", BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009, <http://www.rfc-editor.org/info/rfc5625>.

11.2. Informative References

[MAP-Deploy] Sun, Q., Chen, M., Chen, G., Tsou, T., and S. Perreault, "Mapping of Address and Port (MAP) - Deployment Considerations", Work in Progress, draft-ietf-softwire-map-deployment-06, June 2015. [RFC879] Postel, J., "The TCP Maximum Segment Size and Related Topics", RFC 879, DOI 10.17487/RFC0879, November 1983, <http://www.rfc-editor.org/info/rfc879>. [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security Considerations for IP Fragment Filtering", RFC 1858, DOI 10.17487/RFC1858, October 1995, <http://www.rfc-editor.org/info/rfc1858>. [RFC1933] Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC 1933, DOI 10.17487/RFC1933, April 1996, <http://www.rfc-editor.org/info/rfc1933>. [RFC2529] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4 Domains without Explicit Tunnels", RFC 2529, DOI 10.17487/RFC2529, March 1999, <http://www.rfc-editor.org/info/rfc2529>. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, August 1999, <http://www.rfc-editor.org/info/rfc2663>.
Top   ToC   RFC7597 - Page 22
   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
              May 2000, <http://www.rfc-editor.org/info/rfc2827>.

   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
              via IPv4 Clouds", RFC 3056, DOI 10.17487/RFC3056,
              February 2001, <http://www.rfc-editor.org/info/rfc3056>.

   [RFC3128]  Miller, I., "Protection Against a Variant of the Tiny
              Fragment Attack (RFC 1858)", RFC 3128,
              DOI 10.17487/RFC3128, June 2001,
              <http://www.rfc-editor.org/info/rfc3128>.

   [RFC3633]  Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
              Host Configuration Protocol (DHCP) version 6", RFC 3633,
              DOI 10.17487/RFC3633, December 2003,
              <http://www.rfc-editor.org/info/rfc3633>.

   [RFC4213]  Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
              for IPv6 Hosts and Routers", RFC 4213,
              DOI 10.17487/RFC4213, October 2005,
              <http://www.rfc-editor.org/info/rfc4213>.

   [RFC4459]  Savola, P., "MTU and Fragmentation Issues with
              In-the-Network Tunneling", RFC 4459, DOI 10.17487/RFC4459,
              April 2006, <http://www.rfc-editor.org/info/rfc4459>.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632,
              August 2006, <http://www.rfc-editor.org/info/rfc4632>.

   [RFC4787]  Audet, F., Ed., and C. Jennings, "Network Address
              Translation (NAT) Behavioral Requirements for Unicast
              UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787,
              January 2007, <http://www.rfc-editor.org/info/rfc4787>.

   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
              Address Autoconfiguration", RFC 4862,
              DOI 10.17487/RFC4862, September 2007,
              <http://www.rfc-editor.org/info/rfc4862>.

   [RFC4953]  Touch, J., "Defending TCP Against Spoofing Attacks",
              RFC 4953, DOI 10.17487/RFC4953, July 2007,
              <http://www.rfc-editor.org/info/rfc4953>.
Top   ToC   RFC7597 - Page 23
   [RFC4963]  Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
              Errors at High Data Rates", RFC 4963,
              DOI 10.17487/RFC4963, July 2007,
              <http://www.rfc-editor.org/info/rfc4963>.

   [RFC5214]  Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
              Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
              DOI 10.17487/RFC5214, March 2008,
              <http://www.rfc-editor.org/info/rfc5214>.

   [RFC5382]  Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
              Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
              RFC 5382, DOI 10.17487/RFC5382, October 2008,
              <http://www.rfc-editor.org/info/rfc5382>.

   [RFC5508]  Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
              Behavioral Requirements for ICMP", BCP 148, RFC 5508,
              DOI 10.17487/RFC5508, April 2009,
              <http://www.rfc-editor.org/info/rfc5508>.

   [RFC5961]  Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
              Robustness to Blind In-Window Attacks", RFC 5961,
              DOI 10.17487/RFC5961, August 2010,
              <http://www.rfc-editor.org/info/rfc5961>.

   [RFC5969]  Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
              Infrastructures (6rd) -- Protocol Specification",
              RFC 5969, DOI 10.17487/RFC5969, August 2010,
              <http://www.rfc-editor.org/info/rfc5969>.

   [RFC6056]  Larsen, M. and F. Gont, "Recommendations for
              Transport-Protocol Port Randomization", BCP 156, RFC 6056,
              DOI 10.17487/RFC6056, January 2011,
              <http://www.rfc-editor.org/info/rfc6056>.

   [RFC6250]  Thaler, D., "Evolution of the IP Model", RFC 6250,
              DOI 10.17487/RFC6250, May 2011,
              <http://www.rfc-editor.org/info/rfc6250>.

   [RFC6269]  Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
              P. Roberts, "Issues with IP Address Sharing", RFC 6269,
              DOI 10.17487/RFC6269, June 2011,
              <http://www.rfc-editor.org/info/rfc6269>.

   [RFC6324]  Nakibly, G. and F. Templin, "Routing Loop Attack Using
              IPv6 Automatic Tunnels: Problem Statement and Proposed
              Mitigations", RFC 6324, DOI 10.17487/RFC6324, August 2011,
              <http://www.rfc-editor.org/info/rfc6324>.
Top   ToC   RFC7597 - Page 24
   [RFC6333]  Durand, A., Droms, R., Woodyatt, J., and Y. Lee,
              "Dual-Stack Lite Broadband Deployments Following IPv4
              Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011,
              <http://www.rfc-editor.org/info/rfc6333>.

   [RFC6335]  Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
              Cheshire, "Internet Assigned Numbers Authority (IANA)
              Procedures for the Management of the Service Name and
              Transport Protocol Port Number Registry", BCP 165,
              RFC 6335, DOI 10.17487/RFC6335, August 2011,
              <http://www.rfc-editor.org/info/rfc6335>.

   [RFC6346]  Bush, R., Ed., "The Address plus Port (A+P) Approach to
              the IPv4 Address Shortage", RFC 6346,
              DOI 10.17487/RFC6346, August 2011,
              <http://www.rfc-editor.org/info/rfc6346>.

   [RFC6864]  Touch, J., "Updated Specification of the IPv4 ID Field",
              RFC 6864, DOI 10.17487/RFC6864, February 2013,
              <http://www.rfc-editor.org/info/rfc6864>.

   [RFC7598]  Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec,
              W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for
              Configuration of Softwire Address and Port-Mapped
              Clients", RFC 7598, DOI 10.17487/RFC7598, July 2015,
              <http://www.rfc-editor.org/info/rfc7598>.

   [Solutions-4v6]
              Boucadair, M., Ed., Matsushima, S., Lee, Y., Bonness, O.,
              Borges, I., and G. Chen, "Motivations for Carrier-side
              Stateless IPv4 over IPv6 Migration Solutions", Work in
              Progress, draft-ietf-softwire-stateless-4v6-motivation-05,
              November 2012.

   [TR069]    Broadband Forum TR-069, "CPE WAN Management Protocol",
              Amendment 5, CWMP Version: 1.4, November 2013,
              <https://www.broadband-forum.org>.
Top   ToC   RFC7597 - Page 25

Appendix A. Examples

Example 1 - Basic Mapping Rule: Given the MAP domain information and an IPv6 address of an endpoint: End-user IPv6 prefix: 2001:db8:0012:3400::/56 Basic Mapping Rule: {2001:db8:0000::/40 (Rule IPv6 prefix), 192.0.2.0/24 (Rule IPv4 prefix), 16 (Rule EA-bit length)} PSID length: (16 - (32 - 24) = 8 (sharing ratio of 256) PSID offset: 6 (default) A MAP node (CE or BR) can, via the BMR or equivalent FMR, determine the IPv4 address and port set as shown below: EA bits offset: 40 IPv4 suffix bits (p) Length of IPv4 address (32) - IPv4 prefix length (24) = 8 IPv4 address: 192.0.2.18 (0xc0000212) PSID start: 40 + p = 40 + 8 = 48 PSID length: o - p = (56 - 40) - 8 = 8 PSID: 0x34 Available ports (63 ranges): 1232-1235, 2256-2259, ...... , 63696-63699, 64720-64723 The BMR information allows a MAP CE to determine (complete) its IPv6 address within the indicated IPv6 prefix. IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034
Top   ToC   RFC7597 - Page 26
   Example 2 - BR:

   Another example is a MAP BR, configured with the following FMR
   when receiving a packet with the following characteristics:

   IPv4 source address:       1.2.3.4 (0x01020304)
   IPv4 source port:          80
   IPv4 destination address:  192.0.2.18 (0xc0000212)
   IPv4 destination port:     1232

   Forwarding Mapping Rule: {2001:db8::/40 (Rule IPv6 prefix),
                             192.0.2.0/24 (Rule IPv4 prefix),
                             16 (Rule EA-bit length)}

   IPv6 address of MAP BR:              2001:db8:ffff::1

   The above information allows the BR to derive the mapped
   destination IPv6 address for the corresponding MAP CE, and also
   the mapped source IPv6 address for the IPv4 source address,
   as follows:

   IPv4 suffix bits (p):  32 - 24 = 8 (18 (0x12))
   PSID length:           8
   PSID:                  0x34 (1232)

   The resulting IPv6 packet will have the following key fields:

   IPv6 source address:       2001:db8:ffff::1
   IPv6 destination address:  2001:db8:0012:3400:0000:c000:0212:0034


   Example 3 - Forwarding Mapping Rule:

   An IPv4 host behind the MAP CE (addressed as per the previous
   examples) corresponding with IPv4 host 1.2.3.4 will have its
   packets encapsulated by IPv6 using the IPv6 address of the BR
   configured on the MAP CE as follows:

   IPv6 address of BR:         2001:db8:ffff::1
   IPv4 source address:        192.0.2.18
   IPv4 destination address:   1.2.3.4
   IPv4 source port:           1232
   IPv4 destination port:      80
   MAP CE IPv6 source address: 2001:db8:0012:3400:0000:c000:0212:0034
   IPv6 destination address:   2001:db8:ffff::1
Top   ToC   RFC7597 - Page 27
   Example 4 - Rule with no embedded address bits and no address
   sharing:

   End-user IPv6 prefix: 2001:db8:0012:3400::/56
   Basic Mapping Rule:   {2001:db8:0012:3400::/56 (Rule IPv6 prefix),
                          192.0.2.18/32 (Rule IPv4 prefix),
                          0 (Rule EA-bit length)}
   PSID length:          0 (sharing ratio is 1)
   PSID offset:          n/a

   A MAP node (CE or BR) can, via the BMR or equivalent FMR, determine
   the IPv4 address and port set as shown below:

   EA bits offset:       0
   IPv4 suffix bits (p): Length of IPv4 address (32) -
                         IPv4 prefix length (32) = 0
   IPv4 address:         192.0.2.18 (0xc0000212)
   PSID start:           0
   PSID length:          0
   PSID:                 null

   The BMR information allows a MAP CE to also determine (complete)
   its full IPv6 address by combining the IPv6 prefix with the MAP
   interface identifier (that embeds the IPv4 address).

   IPv6 address of MAP CE:  2001:db8:0012:3400:0000:c000:0212:0000
Top   ToC   RFC7597 - Page 28
   Example 5 - Rule with no embedded address bits and address sharing
   (sharing ratio of 256):

   End-user IPv6 prefix: 2001:db8:0012:3400::/56
   Basic Mapping Rule:   {2001:db8:0012:3400::/56 (Rule IPv6 prefix),
                          192.0.2.18/32 (Rule IPv4 prefix),
                          0 (Rule EA-bit length)}
   PSID length:          8 (from DHCP; sharing ratio of 256)
   PSID offset:          6 (default)
   PSID:                 0x34 (from DHCP)

   A MAP node can, via the Basic Mapping Rule, determine the IPv4
   address and port set as shown below:

   EA bits offset:        0
   IPv4 suffix bits (p):  Length of IPv4 address (32) -
                          IPv4 prefix length (32) = 0
   IPv4 address:          192.0.2.18 (0xc0000212)
   PSID offset:           6
   PSID length:           8
   PSID:                  0x34

   Available ports (63 ranges): 1232-1235, 2256-2259, ...... ,
                                63696-63699, 64720-64723

   The Basic Mapping Rule information allows a MAP CE to also
   determine (complete) its full IPv6 address by combining the IPv6
   prefix with the MAP interface identifier (that embeds the IPv4
   address and PSID).

   IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034

   Note that the IPv4 address and PSID are not derived from the IPv6
   prefix assigned to the CE but are provisioned separately using,
   for example, DHCP.
Top   ToC   RFC7597 - Page 29

Appendix B. A More Detailed Description of the Derivation of the Port-Mapping Algorithm

This appendix describes how the port-mapping algorithm described in Section 5.1 was derived. The algorithm is used in domains whose rules allow IPv4 address sharing. The basic requirement for a port-mapping algorithm is that the port sets it assigns to different MAP CEs MUST be non-overlapping. A number of other requirements guided the choice of the algorithm: o In keeping with the general MAP algorithm, the port set MUST be derivable from a Port Set identifier (PSID) that can be embedded in the End-user IPv6 prefix. o The mapping MUST be reversible such that, given the port number, the PSID of the port set to which it belongs can be quickly derived. o The algorithm MUST allow a broad range of address-sharing ratios. o It SHOULD be possible to exclude subsets of the complete port numbering space from assignment. Most operators would exclude the system ports (0-1023). A conservative operator might exclude all but the transient ports (49152-65535). o The effect of port exclusion on the possible values of the End-user IPv6 prefix (i.e., due to restrictions on the PSID value) SHOULD be minimized. o For administrative simplicity, the algorithm SHOULD allocate the same or almost the same number of ports to each CE sharing a given IPv4 address. The two extreme cases that an algorithm satisfying those conditions might support are when (1) the port numbers are not contiguous for each PSID but uniformly distributed across the allowed port range and (2) the port numbers are contiguous in a single range for each PSID. The port-mapping algorithm proposed here is called the Generalized Modulus Algorithm (GMA) and supports both of these cases.
Top   ToC   RFC7597 - Page 30
   For a given IPv4 address-sharing ratio (R) and the maximum number of
   contiguous ports (M) in a port set, the GMA is defined as follows:

   a.  The port numbers (P) corresponding to a given PSID are
       generated by:

       (1) ... P = (R * M) * i + M * PSID + j

       where i and j are indices and the ranges of i, j, and the PSID
       are discussed below.

   b.  For any given port number P, the PSID is calculated as:

       (2) ... PSID = trunc((P modulo (R * M)) / M)

       where trunc() is the operation of rounding down to the nearest
       integer.

   Formula (1) can be interpreted as follows.  First, the available port
   space is divided into blocks of size R * M.  Each block is divided
   into R individual ranges of length M.  The index i in formula (1)
   selects a block, PSID selects a range within that block, and the
   index j selects a specific port value within the range.  On the basis
   of this interpretation:

   o  i ranges from ceil(N / (R * M)) to trunc(65536/(R * M)) - 1, where
      ceil is the operation of rounding up to the nearest integer and N
      is the number of ports (e.g., 1024) excluded from the lower end of
      the range.  That is, any block containing excluded values is
      discarded at the lower end, and if the final block has fewer than
      R * M values it is discarded.  This ensures that the same number
      of ports is assigned to every PSID.

   o  PSID ranges from 0 to R - 1.

   o  j ranges from 0 to M - 1.
Top   ToC   RFC7597 - Page 31

B.1. Bit Representation of the Algorithm

If R and M are powers of 2 (R = 2^k, M = 2^m), formula (1) translates to a computationally convenient structure for any port number represented as a 16-bit binary number. This structure is shown in Figure 9. 0 8 15 +---------------+----------+------+-------------------+ | P | ----------------+-----------------+-------------------+ | i | PSID | j | +---------------+----------+------+-------------------+ |<----a bits--->|<-----k bits---->|<------m bits----->| Figure 9: Bit Representation of a Port Number As shown in the figure, the index value i of formula (1) is given by the first a = 16 - k - m bits of the port number. The PSID value is given by the next k bits, and the index value j is given by the last m bits. Because the PSID is always in the same position in the port number and always the same length, different PSID values are guaranteed to generate different sets of port numbers. In the reverse direction, the generating PSID can be extracted from any port number by a bitmask operation. Note that when M and R are powers of 2, 65536 divides evenly by R * M. Hence, the final block is complete, and the upper bound on i is exactly 65536/(R * M) - 1. The lower bound on i is still the minimum required to ensure that the required set of ports is excluded. No port numbers are wasted through the discarding of blocks at the lower end if block size R * M is a factor of N, the number of ports to be excluded. As a final note, the number of blocks into which the range 0-65535 is being divided in the above representation is given by 2^a. Hence, the case where a = 0 can be interpreted as one where the complete range has been divided into a single block, and individual port sets are contained in contiguous ranges in that block. We cannot throw away the whole block in that case, so port exclusion has to be achieved by putting a lower bound equal to ceil(N / M) on the allowed set of PSID values instead.
Top   ToC   RFC7597 - Page 32

B.2. GMA Examples

For example, for R = 256, PSID = 0, offset: a = 6 and PSID length: k = 8 bits: Available ports (63 ranges): 1024-1027, 2048-2051, ...... , 63488-63491, 64512-64515 Example 1: with offset = 6 (a = 6) For example, for R = 64, PSID = 0, a = 0 (PSID offset = 0 and PSID length = 6 bits), no port exclusion: Available ports (1 range): 0-1023 Example 2: with offset = 0 (a = 0) and N = 0

Acknowledgements

This document is based on the ideas of many, including Masakazu Asama, Mohamed Boucadair, Gang Chen, Maoke Chen, Wojciech Dec, Xiaohong Deng, Jouni Korhonen, Tomek Mrugalski, Jacni Qin, Chunfa Sun, Qiong Sun, and Leaf Yeh. The authors want in particular to recognize Remi Despres, who has tirelessly worked on generalized mechanisms for stateless address mapping. The authors would like to thank Lichun Bao, Guillaume Gottard, Dan Wing, Jan Zorz, Necj Scoberne, Tina Tsou, Kristian Poscic, and especially Tom Taylor and Simon Perreault for the thorough review and comments of this document. Useful IETF Last Call comments were received from Brian Weis and Lei Yan.
Top   ToC   RFC7597 - Page 33

Contributors

This document is the result of the IETF Softwire MAP design team effort and numerous previous individual contributions in this area: Chongfeng Xie China Telecom Room 708, No. 118, Xizhimennei Street Beijing 100035 China Phone: +86-10-58552116 Email: xiechf@ctbri.com.cn Qiong Sun China Telecom Room 708, No. 118, Xizhimennei Street Beijing 100035 China Phone: +86-10-58552936 Email: sunqiong@ctbri.com.cn Gang Chen China Mobile 29, Jinrong Avenue Xicheng District, Beijing 100033 China Email: phdgang@gmail.com, chengang@chinamobile.com Yu Zhai CERNET Center/Tsinghua University Room 225, Main Building, Tsinghua University Beijing 100084 China Email: jacky.zhai@gmail.com Wentao Shang CERNET Center/Tsinghua University Room 225, Main Building, Tsinghua University Beijing 100084 China Email: wentaoshang@gmail.com
Top   ToC   RFC7597 - Page 34
   Guoliang Han
   CERNET Center/Tsinghua University
   Room 225, Main Building, Tsinghua University
   Beijing  100084
   China
   Email: bupthgl@gmail.com

   Rajiv Asati
   Cisco Systems
   7025-6 Kit Creek Road
   Research Triangle Park, NC  27709
   United States
   Email: rajiva@cisco.com

Authors' Addresses

Ole Troan (editor) Cisco Systems Philip Pedersens vei 1 Lysaker 1366 Norway Email: ot@cisco.com Wojciech Dec Cisco Systems Haarlerbergpark Haarlerbergweg 13-19 Amsterdam, NOORD-HOLLAND 1101 CH The Netherlands Email: wdec@cisco.com Xing Li CERNET Center/Tsinghua University Room 225, Main Building, Tsinghua University Beijing 100084 China Email: xing@cernet.edu.cn
Top   ToC   RFC7597 - Page 35
   Congxiao Bao
   CERNET Center/Tsinghua University
   Room 225, Main Building, Tsinghua University
   Beijing  100084
   China

   Email: congxiao@cernet.edu.cn


   Satoru Matsushima
   SoftBank Telecom
   1-9-1 Higashi-Shinbashi, Munato-ku
   Tokyo
   Japan

   Email: satoru.matsushima@g.softbank.co.jp


   Tetsuya Murakami
   IP Infusion
   1188 East Arques Avenue
   Sunnyvale, CA  94085
   United States

   Email: tetsuya@ipinfusion.com


   Tom Taylor (editor)
   Huawei Technologies
   Ottawa
   Canada

   Email: tom.taylor.stds@gmail.com