an update on me

Thu Feb 16 08:30:38 UTC 2012

> To expand on what Francis said, as it relates to the CPE:
> What we have is a modified miniupnpd. This proxies UPnP and NAT-PMP to
> PCP, but only over DS-Lite (it doesn't make a local NAT mapping, but
> just passes the PCP request to AFTR).

=> short terminology:
 - Home Gateway (aka CPE, with an accent on the residential aspect)
 - CGN (Carrier Grade NAT, named also LSN for Large Scale NAT):
  a big NAT run by an ISP which is used by subscribers (BTW
  this notion of subscribers is the real difference between a CGN
  and a big NAT, and has critical consequences on security)
 - DS-Lite: put the ISP infrastructure over IPv6 so IPv4 is transported
  in IPv6 tunnels. Tunnel end-points are named B4 (Home Gateway)
  and AFTR (CGN).
 - NAT444: the alternatibe to DS-Lite when the ISP infrastructure
  doesn't support IPv6, in fact just two level of NATs.
 - A+P (Address+Port, also Port-Range Router): a variant of DS-Lite
  or NAT444 or similar CGN scheme where the NAT function (i.e., the
  translation) is performed by the Home Gateway. An address and a
  port set/range is provided to the Home Gateway(s) of each subcriber,
  the CGN is replaced by a filter in the from subcriber to Internet way
  (this filter verifies the source address and port is assigned to
   the subscriber) and a router on the address and port (so the PRR name)
  in the from Internet to subscriber way. At the cost of provisioning,
  it greatly simplifies the CGN side, removes the (legal requirement of)
  binding logging, etc. In general the port range/set follows an
  algorithm (cf 4rd, SDNAT, etc) which makes the solution "stateless".

=> there are at least 3 interesting schemes:
 - (standard) DS-Lite one: the Home Gateway (aka B4) encapsulates
  the IPv4 traffic over IPv6 to the CGN (aka AFTR) which decapsulates
  and translates it. For this case we support an IWF (InterWorking
  Function, a piece of software which takes UPnP IGD v1 and v2,
  NAT-PMP and PCP requests from home aand converts them to PCP
  requests sent to a PCP server colocated with the AFTR) based
  on a heavily hacked miniupnpd named b4iwf in recent distribs.

 - (standard) NAT444 where the IPv4 traffic is translated twice,
  first by the embedded NAT in the Home Gateway, and a second
  time by the CGN. We don't have support for this, cf the next
  item by Paul. BTW the use of a PCP proxy with an embedded NAT
  function raises an intrinsic security issue which makes IMHO
  the corresponding spec hard to go through the IETF.

 - standard Home Gateway: what we have today, the ISP provides
  a routable IPv4 address and the Home Gateway translates the
  IPv4 traffic using it. We have a miniupnpd (BTW with all the
  shortcomings of it, I didn't fix them as this should have
  implied a whole rewrite and perhaps some kernel hacking too)
  which is extended to support PCP too (code named miniupnpd
  in recent distribs).

> We've got a contract with Juniper (separate from the SD-NAT work) to
> work on PCP, which includes a deliverable to make the CPE work in a
> NAT444 scenario (i.e. make a local NAT mapping, and request a
> corresponding mapping from the CGN). This is my next task.

> We've run this code on various WRT54G gear, and on WNDR3700(v1), with
> stock OpenWrt Backfire 10.03.

=> BTW is there an easy way to recognize WNDR3700 v1, if possible
just looking at the box?

Regards

Francis Dupont <fdupont at isc.org>