Re: [BEHAVE] [v6ops] protocols without need for ALG ?

Joe Touch <touch@isi.edu> Tue, 04 August 2015 17:47 UTC

Return-Path: <touch@isi.edu>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 639171A8A6A; Tue, 4 Aug 2015 10:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgj_KSLl-3eV; Tue, 4 Aug 2015 10:47:40 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF9B21A8A65; Tue, 4 Aug 2015 10:47:40 -0700 (PDT)
Received: from [128.9.184.236] ([128.9.184.236]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id t74Hl7Eg029392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 4 Aug 2015 10:47:08 -0700 (PDT)
To: Mark Smith <markzzzsmith@gmail.com>
References: <20150730205806.GI1667@cisco.com> <33A0B18B-5C9D-4DC3-9E0B-736D7ECA404F@delong.com> <alpine.DEB.2.02.1507310706240.11810@uplift.swm.pp.se> <CAO42Z2zH4A71B82TL3=tbagqXU1mbnt4eMDFGmuVa94gAj2-vA@mail.gmail.com> <6536E263028723489CCD5B6821D4B21303EEFB81@UK30S005EXS06.EEAD.EEINT.CO.UK> <D99CCE3A-B396-4ED3-96BD-E9A9E92B2EDE@isi.edu> <CAO42Z2zy4MjGyHYAoRnV3-G_Y3qELHtEpL+c+eOH3h05w3rXmQ@mail.gmail.com> <55BC16EB.8060007@isi.edu> <CAO42Z2x2zwMwKy7974A7PVmTVd5fDq9TTW2sirtiE_Y7_UtWPA@mail.gmail.com>
From: Joe Touch <touch@isi.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <55C0FA9A.1020001@isi.edu>
Date: Tue, 4 Aug 2015 10:47:06 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <CAO42Z2x2zwMwKy7974A7PVmTVd5fDq9TTW2sirtiE_Y7_UtWPA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: t74Hl7Eg029392
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/behave/Cldvq7kc2GPZs0xFAWFrlqy3Bjg>
Cc: "behave@ietf.org" <behave@ietf.org>, v6ops list <v6ops@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>, "Heatley, Nick" <nick.heatley@ee.co.uk>, touch@isi.edu
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 17:47:42 -0000

Hi, Mark,

On 7/31/2015 7:50 PM, Mark Smith wrote:
...
> If I recall correctly, FTP uses TCP port 20 on one of the ends of the
> file transfer, so that's the fixed port you can match on if you need
> to.

FTP has two modes. Active mode uses a fixed server port (21) for
commands and a fixed client port (20) for each data transfer.

Passive mode uses a fixed server port (21) and let's the server tell the
client the server's port for each subsequent transfer. Passive mode
won't work when the client is behind a NAT because the server can't call
the client on a known port.

In passive mode, the ports are sent back from the server in-band. It
works when the client is on the private side of a NAT because the client
still calls the server.

In-band port numbers are used only in passive mode. You'd think that
would mean that passive mode would require translation, but it's because
of the direction of the use of the ports that translation isn't required.

>>> I think a server could choose to continue to use 69 as its TID for the
>>> full transfer, however in my case it didn't.
...
> I haven't thought much about it, however I was thinking that the
> combination of client address and TID would uniquely identify the file
> transfer, so the server could still use TID 69 if it chose to.

Yes, it *could*, and that'd be a decision totally up to the server.
However, the server code would need to know when it can 'reuse' that
number. By the current spec, the TIDs are not reused (for some time
period) regardless of address, which simplifies servers state.

Note that there might be another reason for this. Booting might occur
from a temporary address or even a shared address, so there might be a
benefit to not needing to avoid reuse of that one port to that one address.

...
>>> So if in Toerless's scenario it is stateless 1:1 translation between
>>> IPv4 and IPv6, then I don't think an ALG would be necessary for TFTP.
>>> However, if the translation is stateful because translation between
>>> IPv4 and IPv6 isn't 1:1, then I think an ALG is necessary to set up a
>>> mapping of some form.
>>
>> So first let me backtrack - TFTP requires an ALG to work through a NAT
>> even when the client is on the private side. The return traffic content
>> needs to be inspected to be able to update the private:public
>> translation entry.
>>
>> I.e., this won't work with stateless 1:1 *or* stateful 1:1 without an
>> ALG. I can't imagine how to make sense of it safely in a non-1:1 case.
>>
> 
> I was thinking that stateless 1:1 translation between IPv4 and IPv6
> addresses in the IP headers would work without an TFTP ALG, as long as
> the UDP Ports/TIDs could be ignored, as there are no IP addresses in
> the TFTP packets that would need to be translated.

I really don't think you want to run TFTP through anything that isn't
local (see below).

...
>> Note that the whole point of TFTP is to be used on a LAN only. It has
>> zero security, and it's easily possible that the translation entry could
>> inadvertently affect some other UDP translation entry.
> 
> For many years it was the only way to upload firmware and
> configuration into a certain vendor's routers, and usually they were
> remote!

People used to leave their front doors unlocked too, but those days are
over. IMO, TFTP ought to be blocked through anything that indicates
"off-lan" access.

(even though TFTP is still widely used, e.g., in UEFI)

Joe