IETF Logo Mail Archive

[BEHAVE] Endpoint-Independent Mappings found to be harmful if always imposed

Rémi Després <remi.despres@free.fr> Thu, 06 November 2008 18:01 UTC

Return-Path: <behave-bounces@ietf.org>
X-Original-To: behave-archive@optimus.ietf.org
Delivered-To: ietfarch-behave-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E6AD93A69E2; Thu, 6 Nov 2008 10:01:55 -0800 (PST)
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8887D3A6A24 for <behave@core3.amsl.com>; Thu, 6 Nov 2008 10:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.48
X-Spam-Level:
X-Spam-Status: No, score=-0.48 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, MIME_HTML_ONLY=1.457]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPYG7mgiSuwX for <behave@core3.amsl.com>; Thu, 6 Nov 2008 10:01:53 -0800 (PST)
Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by core3.amsl.com (Postfix) with ESMTP id AB8803A69E2 for <behave@ietf.org>; Thu, 6 Nov 2008 10:01:53 -0800 (PST)
Received: from smtp6-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp6-g19.free.fr (Postfix) with ESMTP id F13BA197BB; Thu, 6 Nov 2008 19:00:49 +0100 (CET)
Received: from ordinateur-de-remi-despres.local (per92-10-88-166-221-144.fbx.proxad.net [88.166.221.144]) by smtp6-g19.free.fr (Postfix) with ESMTP id 2D4E83E99; Thu, 6 Nov 2008 19:00:27 +0100 (CET)
Message-ID: <49133051.6040001@free.fr>
Date: Thu, 06 Nov 2008 18:58:41 +0100
From: Rémi Després <remi.despres@free.fr>
User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>, Dave Thaler <dthaler@windows.microsoft.com>, Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Cc: Behave WG <behave@ietf.org>
Subject: [BEHAVE] Endpoint-Independent Mappings found to be harmful if always imposed
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1739027119=="
Sender: behave-bounces@ietf.org
Errors-To: behave-bounces@ietf.org

Sorry for  reacting so late on draft-ietf-behave-dccp (now -04), but better late than never.

1.
REQ-1 is:
'A NAT MUST have an "Endpoint-Independent Mapping" behavior for DCCP.'

This strong statement was originally made under the assumption that external ports available in NATs were more numerous than necessary.

As sharing IPv4 global addresses becomes more and more necessary and as port utilization in hosts has evolved, this assumption is no longer appropriate everywhere.

2.
There has been a discussion in May on a possibility to authorize  more sparing an use of available ports, but without conclusion then. It is therefore appropriate to have it again now, before it is too late for the DCCP draft.

The simple idea goes that way:
"A NAT MUST have an "Endpoint-Independent Mapping" behavior for all outgoing connections except those that, because of their destination ports when the mapping is established, are known to be compatible with less port consuming mappings.
Well known ports reserved by IANA for the following applications are known to be compatible with endpoint-dependent mappings: DNS, POP3, IMAP, HTTP, HTTPS, SNMP."

Note that words are chosen so that,  although some of the  listed applications concern more TCP than DCCP,   they remain valid in the more limited scope of DCCP, and so that the sentence could apply unchanged to NAT requirements for UDP, TCP and SCTP.

3.
Concerning the DNS, the point is particularly important because of the behavior now recommended for resolvers to mitigate the *Kaminsky vulnerability*. They use a new local port for each request, each port necessitating a new mapping it each traversed NAT.

Regards,
RD

_______________________________________________
Behave mailing list
Behave@ietf.org
https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email