Re: [BEHAVE] NAPGT request for comments, THANKS!
meng.wei2@zte.com.cn Wed, 17 July 2013 08:08 UTC
Return-Path: <meng.wei2@zte.com.cn>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D08A21F89C3; Wed, 17 Jul 2013 01:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.722
X-Spam-Level:
X-Spam-Status: No, score=-101.722 tagged_above=-999 required=5 tests=[AWL=0.876, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0yVmfEA3vaEz; Wed, 17 Jul 2013 01:08:34 -0700 (PDT)
Received: from zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id D84A521F9D12; Wed, 17 Jul 2013 01:08:33 -0700 (PDT)
Received: from zte.com.cn (unknown [192.168.168.119]) by Websense Email Security Gateway with ESMTP id 791E5ACB0C; Wed, 17 Jul 2013 16:08:01 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id 5994C7062A3; Wed, 17 Jul 2013 16:07:59 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r6H880ig049654; Wed, 17 Jul 2013 16:08:00 +0800 (GMT-8) (envelope-from meng.wei2@zte.com.cn)
In-Reply-To: <45A697A8FFD7CF48BCF2BE7E106F0604090C7C7E@xmb-rcd-x04.cisco.com>
To: "Reinaldo Penno (repenno)" <repenno@cisco.com>
MIME-Version: 1.0
X-KeepSent: 50A98C07:6E747C89-48257BAB:00257C5C; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF50A98C07.6E747C89-ON48257BAB.00257C5C-48257BAB.002CC34E@zte.com.cn>
From: meng.wei2@zte.com.cn
Date: Wed, 17 Jul 2013 16:08:02 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-07-17 16:07:56, Serialize complete at 2013-07-17 16:07:56
Content-Type: multipart/alternative; boundary="=_alternative 002CC34948257BAB_="
X-MAIL: mse02.zte.com.cn r6H880ig049654
Cc: "behave-bounces@ietf.org" <behave-bounces@ietf.org>, "behave@ietf.org" <behave@ietf.org>, "Dan Wing (dwing)" <dwing@cisco.com>
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 08:08:38 -0000
Hi, I got what the example means. 1-1024 is just an example, the range could be any valid value. "<1-1024> might be used as NAT, <1025-65535> might be used as dynamic NAPT", example is as below. +----------+ +-----+ +--------+ + Internet + ----+ NAT +----+ Server + +----------+ +-----+ +--------+ (1) "<1-1024> might be used as NAT" means, A server behind a NAT. A message, sent by server, its source port is in 1-1024 (or 4500-4501 or ...). The source address will be converted by NAT, the source port remains the same. (2)<1025-65535> might be used as dynamic NAPT Meanwhile, many hosts are behind NAT. They attempt to access to internet. A message, sent by a host, both its source address and port will be converted by NAT, and the new port will be in 1025-65535. It will make IP address assignment more effective. Cheers, Wei behave-bounces@ietf.org 2013-07-17 12:36:30: > Hi, > > I'm not sure what exactly you man by "might be used as NAT". > > 0-1024 might be used for NAPT in a FCFS basis where port > preservation (this is what we are talking about here, right?) is needed. > > As a concrete example, many IPsec Servers still expect to see the > source port within 0-1024 and preferably a specific source port. If > that source port is used by the NAT, and more than one IPsec client > is behind it, there are a some choices available. > > - Some funky IPSec ALG (implemented in many products) > - Give a port above 1024 and hope for the best > - Deny the connection > - others.. > > Other ports for the same public IP can be used by any other internal > IP address. This is very common in implementations. > > thanks, > > From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of > meng.wei2@zte.com.cn [meng.wei2@zte.com.cn] > Sent: Tuesday, July 16, 2013 8:22 PM > To: Reinaldo Penno (repenno) > Cc: behave-bounces@ietf.org; behave@ietf.org; Dan Wing (dwing) > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! > > Hi Reinaldo, > So I suppose <1-1024> might be used as NAT, <1025-65535> might be used as > dynamic NAPT. > That is what this view says in the draft. > > Cheers, > Wei > > > behave-bounces@ietf.org 2013-07-17 09:52:34: > > > I'm not sure this is a good idea. There are still some protocols > > around that use ports < 1024 and maintaining the source port after > > translation in this range is important. > > > > From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of > > Dan Wing (dwing) > > Sent: Tuesday, July 16, 2013 3:30 PM > > To: meng.wei2@zte.com.cn > > Cc: behave@ietf.org > > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! > > > > > On Jul 15, 2013, at 2:43 AM, meng.wei2@zte.com.cn wrote: > > > > I have submitted a new draft. The objective is to solve a problem that > > prevents an external client from accessing an internal server. > > > > https://datatracker.ietf.org/doc/draft-meng-behave-napgt/ > > > > I expect your comments. Thanks a lot! > > > > Draft-meng-behave-napgt appears to describe something that is very > > similar to the long-standing "DMZ host" configuration available on > > almost all residential-class NAT devices. I don't think we could > > standardize that behavior, but perhaps that is possible. > > > > Draft-meng-behave-napgt also describes an update to the port > > assignment behavior described in http://tools.ietf. > > org/html/rfc5382#section-7.1 (TCP) and http://tools.ietf. > > org/html/rfc4787#section-4.2.1 (UDP). If I understand Section 4 of > > draft-meng-behave-napgt properly, it is saying that NATs should not > > assign ports below 1024 to dynamic connections. This might be > > something worth considering for draft-ietf-behave-requirements-update? > > > > -d > > _______________________________________________ > > Behave mailing list > > Behave@ietf.org > > https://www.ietf.org/mailman/listinfo/behave > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Fwd: I-D Action: draft-chen-behave-nat64… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Dan Wing
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Simon Perreault
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)