Re: [BEHAVE] NAPGT request for comments, THANKS!
meng.wei2@zte.com.cn Wed, 17 July 2013 08:08 UTC
Return-Path: <meng.wei2@zte.com.cn>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D08A21F89C3; Wed, 17 Jul 2013 01:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.722
X-Spam-Level:
X-Spam-Status: No, score=-101.722 tagged_above=-999 required=5 tests=[AWL=0.876, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0yVmfEA3vaEz; Wed, 17 Jul 2013 01:08:34 -0700 (PDT)
Received: from zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id D84A521F9D12; Wed, 17 Jul 2013 01:08:33 -0700 (PDT)
Received: from zte.com.cn (unknown [192.168.168.119]) by Websense Email Security Gateway with ESMTP id 791E5ACB0C; Wed, 17 Jul 2013 16:08:01 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id 5994C7062A3; Wed, 17 Jul 2013 16:07:59 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r6H880ig049654; Wed, 17 Jul 2013 16:08:00 +0800 (GMT-8) (envelope-from meng.wei2@zte.com.cn)
In-Reply-To: <45A697A8FFD7CF48BCF2BE7E106F0604090C7C7E@xmb-rcd-x04.cisco.com>
To: "Reinaldo Penno (repenno)" <repenno@cisco.com>
MIME-Version: 1.0
X-KeepSent: 50A98C07:6E747C89-48257BAB:00257C5C; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF50A98C07.6E747C89-ON48257BAB.00257C5C-48257BAB.002CC34E@zte.com.cn>
From: meng.wei2@zte.com.cn
Date: Wed, 17 Jul 2013 16:08:02 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-07-17 16:07:56, Serialize complete at 2013-07-17 16:07:56
Content-Type: multipart/alternative; boundary="=_alternative 002CC34948257BAB_="
X-MAIL: mse02.zte.com.cn r6H880ig049654
Cc: "behave-bounces@ietf.org" <behave-bounces@ietf.org>, "behave@ietf.org" <behave@ietf.org>, "Dan Wing (dwing)" <dwing@cisco.com>
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 08:08:38 -0000
Hi,
I got what the example means.
1-1024 is just an example, the range could be any valid value.
"<1-1024> might be used as NAT, <1025-65535> might be used as
dynamic NAPT", example is as below.
+----------+ +-----+ +--------+
+ Internet + ----+ NAT +----+ Server +
+----------+ +-----+ +--------+
(1) "<1-1024> might be used as NAT" means,
A server behind a NAT.
A message, sent by server, its source port is in 1-1024 (or 4500-4501
or ...).
The source address will be converted by NAT, the source port remains
the same.
(2)<1025-65535> might be used as dynamic NAPT
Meanwhile, many hosts are behind NAT. They attempt to access to
internet.
A message, sent by a host, both its source address and port will
be converted by NAT, and the new port will be in 1025-65535.
It will make IP address assignment more effective.
Cheers,
Wei
behave-bounces@ietf.org 2013-07-17 12:36:30:
> Hi,
>
> I'm not sure what exactly you man by "might be used as NAT".
>
> 0-1024 might be used for NAPT in a FCFS basis where port
> preservation (this is what we are talking about here, right?) is needed.
>
> As a concrete example, many IPsec Servers still expect to see the
> source port within 0-1024 and preferably a specific source port. If
> that source port is used by the NAT, and more than one IPsec client
> is behind it, there are a some choices available.
>
> - Some funky IPSec ALG (implemented in many products)
> - Give a port above 1024 and hope for the best
> - Deny the connection
> - others..
>
> Other ports for the same public IP can be used by any other internal
> IP address. This is very common in implementations.
>
> thanks,
>
> From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of
> meng.wei2@zte.com.cn [meng.wei2@zte.com.cn]
> Sent: Tuesday, July 16, 2013 8:22 PM
> To: Reinaldo Penno (repenno)
> Cc: behave-bounces@ietf.org; behave@ietf.org; Dan Wing (dwing)
> Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
>
> Hi Reinaldo,
> So I suppose <1-1024> might be used as NAT, <1025-65535> might be used
as
> dynamic NAPT.
> That is what this view says in the draft.
>
> Cheers,
> Wei
>
>
> behave-bounces@ietf.org 2013-07-17 09:52:34:
>
> > I'm not sure this is a good idea. There are still some protocols
> > around that use ports < 1024 and maintaining the source port after
> > translation in this range is important.
> >
> > From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of
> > Dan Wing (dwing)
> > Sent: Tuesday, July 16, 2013 3:30 PM
> > To: meng.wei2@zte.com.cn
> > Cc: behave@ietf.org
> > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
>
> >
> > On Jul 15, 2013, at 2:43 AM, meng.wei2@zte.com.cn wrote:
> >
> > I have submitted a new draft. The objective is to solve a problem
that
> > prevents an external client from accessing an internal server.
> >
> > https://datatracker.ietf.org/doc/draft-meng-behave-napgt/
> >
> > I expect your comments. Thanks a lot!
> >
> > Draft-meng-behave-napgt appears to describe something that is very
> > similar to the long-standing "DMZ host" configuration available on
> > almost all residential-class NAT devices. I don't think we could
> > standardize that behavior, but perhaps that is possible.
> >
> > Draft-meng-behave-napgt also describes an update to the port
> > assignment behavior described in http://tools.ietf.
> > org/html/rfc5382#section-7.1 (TCP) and http://tools.ietf.
> > org/html/rfc4787#section-4.2.1 (UDP). If I understand Section 4 of
> > draft-meng-behave-napgt properly, it is saying that NATs should not
> > assign ports below 1024 to dynamic connections. This might be
> > something worth considering for draft-ietf-behave-requirements-update?
> >
> > -d
> > _______________________________________________
> > Behave mailing list
> > Behave@ietf.org
> > https://www.ietf.org/mailman/listinfo/behave
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Fwd: I-D Action: draft-chen-behave-nat64… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Dan Wing
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Simon Perreault
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)