IETF Logo Mail Archive

Re: [BEHAVE] Handling fragments in the stateful NAT64

Reinaldo Penno <rpenno@juniper.net> Tue, 01 December 2009 17:46 UTC

Return-Path: <rpenno@juniper.net>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2DF83A68E4 for <behave@core3.amsl.com>; Tue, 1 Dec 2009 09:46:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9wh62DXRNFcD for <behave@core3.amsl.com>; Tue, 1 Dec 2009 09:46:37 -0800 (PST)
Received: from exprod7og107.obsmtp.com (exprod7og107.obsmtp.com [64.18.2.167]) by core3.amsl.com (Postfix) with ESMTP id 67A373A6881 for <behave@ietf.org>; Tue, 1 Dec 2009 09:46:28 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob107.postini.com ([64.18.6.12]) with SMTP ID DSNKSxVWbPHoVtV6NC4lWrWvw/5WefrOwufk@postini.com; Tue, 01 Dec 2009 09:46:30 PST
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.393.1; Tue, 1 Dec 2009 09:43:54 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Tue, 1 Dec 2009 12:43:54 -0500
From: Reinaldo Penno <rpenno@juniper.net>
To: Dan Wing <dwing@cisco.com>, 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, 'Behave WG' <behave@ietf.org>
Date: Tue, 01 Dec 2009 12:43:51 -0500
Thread-Topic: [BEHAVE] Handling fragments in the stateful NAT64
Thread-Index: Acpyanw9YHpb2JO5TQWdEipdXgyqPgAQDUmAAADJn9M=
Message-ID: <C73A95D7.AFC2%rpenno@juniper.net>
In-Reply-To: <097b01ca72ab$11232350$c3f0200a@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-Entourage/13.0.0.090609
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [BEHAVE] Handling fragments in the stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 17:46:38 -0000

Comments inline...


On 12/1/09 9:23 AM, "Dan Wing" <dwing@cisco.com> wrote:

>> -----Original Message-----
>> From: behave-bounces@ietf.org
>> [mailto:behave-bounces@ietf.org] On Behalf Of marcelo bagnulo braun
>> Sent: Tuesday, December 01, 2009 1:42 AM
>> To: Behave WG
>> Subject: [BEHAVE] Handling fragments in the stateful NAT64
>> 
>> Hi,
>> 
>> after the discussion in hiroshima, I have updated the draft.
>> The current 03 version reads:
>> 
>>    If the incoming IP packet contains a fragment, then more processing
>>    may be needed.  This specification leaves open the exact details of
>>    how a NAT64 handles incoming IP packets containing fragments, and
>>    simply requires that a NAT64 handle fragments arriving
>> out-of-order.
> 
> That sentence above says "requires that a NAT64 handle fragments arriving
> out-of-order", yet ... (see "A", below)

I agree with what was stated by Dan (If I understand it properly).  After
the first paragraph above (which pretty much leaves the mechanism open),
using normative text in other paragraphs is confusing and might lead to
interpretation issues.

On the other hand, if you NAT64 needs to handle out of order fragments
through whatever mechanism (as stated in the first paragraph), then that's
where you need to use normative text such as the one in RFC487.

Something like from 4787

"   REQ-14:  A NAT MUST support receiving in-order and out-of-order
      fragments, so it MUST have "Received Fragment Out of Order"
      behavior.

      a) A NAT's out-of-order fragment processing mechanism MUST be
         designed so that fragmentation-based DoS attacks do not
         compromise the NAT's ability to process in-order and
         unfragmented IP packets.
"

Thanks,

Reinaldo

> 
>>    A NAT64 MAY elect to queue the fragments as they arrive
>> and translate
>>    all fragments at the same time.  Alternatively, a NAT64
>> MAY translate
>>    the fragments as they arrive, by storing information that allows it
>>    to compute the 5-tuple for fragments other than the first.  In the
>>    latter case, the NAT64 will still need to handle the
>> situation where
>>    subsequent fragments arrive before the first.
>> 
>>    Implementors of NAT64 should be aware that there are a number of
>>    well-known attacks against IP fragmentation; see [RFC1858] and
>>    [RFC3128].
> 
> RFC4963 might be useful to cite, as well.
> 
>>    Assuming it otherwise has sufficient resources, a NAT64 MUST allow
>>    the fragments to arrive over a time interval of at least
>> 10 seconds.
> 
> "A":  The sentence below does *not* require the NAT64 to handle out-of-
> order fragments.  The sentence below contains a RFC2119 keyword, so
> I guess it is normative and overrides the non-RFC2119 sentence above,
> but it would be better if the descriptive text above matched the
> RFC2119 keyworded sentence below.  Or remove one or the other.
> 
>>    A NAT64 MAY require that the UDP, TCP, or ICMP header be completely
>>    contained within the first fragment.
> 
> -d
> 
> 
>> 
>> Let me know if you have issues witht eh current text. I hope
>> it reflects 
>> the received feedback.
>> 
>> Regards, marcelo
>> 
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email