Re: [BEHAVE] NAPGT request for comments, THANKS!
Simon Perreault <simon.perreault@viagenie.ca> Wed, 17 July 2013 08:41 UTC
Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A00D21F9D0E for <behave@ietfa.amsl.com>; Wed, 17 Jul 2013 01:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19VFBjOu4w1P for <behave@ietfa.amsl.com>; Wed, 17 Jul 2013 01:41:18 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 518B621F9A43 for <behave@ietf.org>; Wed, 17 Jul 2013 01:41:18 -0700 (PDT)
Received: from [IPv6:::1] (unknown [IPv6:2001:660:3001:4012:5b8:1f9e:c21b:48d7]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 95293403F5 for <behave@ietf.org>; Wed, 17 Jul 2013 04:41:17 -0400 (EDT)
Message-ID: <51E658AC.9070006@viagenie.ca>
Date: Wed, 17 Jul 2013 10:41:16 +0200
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: behave@ietf.org
References: <OF50A98C07.6E747C89-ON48257BAB.00257C5C-48257BAB.002CC34E@zte.com.cn>
In-Reply-To: <OF50A98C07.6E747C89-ON48257BAB.00257C5C-48257BAB.002CC34E@zte.com.cn>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 08:41:19 -0000
It seems you guys are forgetting about RFC 4787 REQ-3 a):
a) If the host's source port was in the range 0-1023, it is
RECOMMENDED the NAT's source port be in the same range. If the
host's source port was in the range 1024-65535, it is
RECOMMENDED that the NAT's source port be in that range.
Does anything more need to be said about this?
Simon
Le 2013-07-17 10:08, meng.wei2@zte.com.cn a écrit :
>
> Hi,
> I got what the example means.
>
> 1-1024 is just an example, the range could be any valid value.
>
> "<1-1024> might be used as NAT, <1025-65535> might be used as
> dynamic NAPT", example is as below.
>
> +----------+ +-----+ +--------+
> + Internet + ----+ NAT +----+ Server +
> +----------+ +-----+ +--------+
>
> (1) "<1-1024> might be used as NAT" means,
> A server behind a NAT.
> A message, sent by server, its source port is in 1-1024 (or 4500-4501
> or ...).
> The source address will be converted by NAT, the source port remains
> the same.
>
> (2)<1025-65535> might be used as dynamic NAPT
> Meanwhile, many hosts are behind NAT. They attempt to access to
> internet.
> A message, sent by a host, both its source address and port will
> be converted by NAT, and the new port will be in 1025-65535.
>
>
> It will make IP address assignment more effective.
>
> Cheers,
> Wei
>
>
>
> behave-bounces@ietf.org 2013-07-17 12:36:30:
>
>> Hi,
>>
>> I'm not sure what exactly you man by "might be used as NAT".
>>
>> 0-1024 might be used for NAPT in a FCFS basis where port
>> preservation (this is what we are talking about here, right?) is needed.
>>
>> As a concrete example, many IPsec Servers still expect to see the
>> source port within 0-1024 and preferably a specific source port. If
>> that source port is used by the NAT, and more than one IPsec client
>> is behind it, there are a some choices available.
>>
>> - Some funky IPSec ALG (implemented in many products)
>> - Give a port above 1024 and hope for the best
>> - Deny the connection
>> - others..
>>
>> Other ports for the same public IP can be used by any other internal
>> IP address. This is very common in implementations.
>>
>> thanks,
>>
>> From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of
>> meng.wei2@zte.com.cn [meng.wei2@zte.com.cn]
>> Sent: Tuesday, July 16, 2013 8:22 PM
>> To: Reinaldo Penno (repenno)
>> Cc: behave-bounces@ietf.org; behave@ietf.org; Dan Wing (dwing)
>> Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
>
>>
>> Hi Reinaldo,
>> So I suppose <1-1024> might be used as NAT, <1025-65535> might be
> used as
>> dynamic NAPT.
>> That is what this view says in the draft.
>>
>> Cheers,
>> Wei
>>
>>
>> behave-bounces@ietf.org 2013-07-17 09:52:34:
>>
>> > I'm not sure this is a good idea. There are still some protocols
>> > around that use ports < 1024 and maintaining the source port after
>> > translation in this range is important.
>> >
>> > From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of
>> > Dan Wing (dwing)
>> > Sent: Tuesday, July 16, 2013 3:30 PM
>> > To: meng.wei2@zte.com.cn
>> > Cc: behave@ietf.org
>> > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
>>
>> >
>> > On Jul 15, 2013, at 2:43 AM, meng.wei2@zte.com.cn wrote:
>> >
>> > I have submitted a new draft. The objective is to solve a
> problem that
>> > prevents an external client from accessing an internal server.
>> >
>> > https://datatracker.ietf.org/doc/draft-meng-behave-napgt/
>> >
>> > I expect your comments. Thanks a lot!
>> >
>> > Draft-meng-behave-napgt appears to describe something that is very
>> > similar to the long-standing "DMZ host" configuration available on
>> > almost all residential-class NAT devices. I don't think we could
>> > standardize that behavior, but perhaps that is possible.
>> >
>> > Draft-meng-behave-napgt also describes an update to the port
>> > assignment behavior described in http://tools.ietf.
>> > org/html/rfc5382#section-7.1 (TCP) and http://tools.ietf.
>> > org/html/rfc4787#section-4.2.1 (UDP). If I understand Section 4 of
>> > draft-meng-behave-napgt properly, it is saying that NATs should not
>> > assign ports below 1024 to dynamic connections. This might be
>> > something worth considering for draft-ietf-behave-requirements-update?
>> >
>> > -d
- [BEHAVE] Fwd: I-D Action: draft-chen-behave-nat64… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Dan Wing
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Simon Perreault
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)