Re: [BEHAVE] [v6ops] protocols without need for ALG ?
Mark Andrews <marka@isc.org> Wed, 05 August 2015 08:36 UTC
Return-Path: <marka@isc.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AB221B2DBF; Wed, 5 Aug 2015 01:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_41=0.6, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C81mBelT2qIi; Wed, 5 Aug 2015 01:36:43 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6CE1B2DBD; Wed, 5 Aug 2015 01:36:42 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id D41071FCB9D; Wed, 5 Aug 2015 08:36:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 5681D16007F; Wed, 5 Aug 2015 08:37:42 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1A87716006F; Wed, 5 Aug 2015 08:37:42 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zVFYXlnPYlcJ; Wed, 5 Aug 2015 08:37:42 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 7DEC6160042; Wed, 5 Aug 2015 08:37:41 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4CF0C3429549; Wed, 5 Aug 2015 18:36:34 +1000 (EST)
To: Joe Touch <touch@isi.edu>
From: Mark Andrews <marka@isc.org>
References: <20150730205806.GI1667@cisco.com> <33A0B18B-5C9D-4DC3-9E0B-736D7ECA404F@delong.com> <alpine.DEB.2.02.1507310706240.11810@uplift.swm.pp.se> <CAO42Z2zH4A71B82TL3=tbagqXU1mbnt4eMDFGmuVa94gAj2-vA@mail.gmail.com> <6536E263028723489CCD5B6821D4B21303EEFB81@UK30S005EXS06.EEAD.EEINT.CO.UK> <D99CCE3A-B396-4ED3-96BD-E9A9E92B2EDE@isi.edu> <CAO42Z2zy4MjGyHYAoRnV3-G_Y3qELHtEpL+c+eOH3h05w3rXmQ@mail.gmail.com> <55BC16EB.8060007@isi.edu>
In-reply-to: Your message of "Fri, 31 Jul 2015 17:46:35 -0700." <55BC16EB.8060007@isi.edu>
Date: Wed, 05 Aug 2015 18:36:34 +1000
Message-Id: <20150805083634.4CF0C3429549@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/behave/IpF1unp5VqYFQKpmPrs3BL-_iUs>
Cc: v6ops list <v6ops@ietf.org>, "behave@ietf.org" <behave@ietf.org>, Mark Smith <markzzzsmith@gmail.com>
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 08:36:44 -0000
In message <55BC16EB.8060007@isi.edu>, Joe Touch writes: > Hi, Mark, > > On 7/31/2015 4:45 PM, Mark Smith wrote: > > On 31 July 2015 at 23:21, Joe Touch <touch@isi.edu> wrote: > >> TFTP servers are typically reached at UDP port 69. > >> > >> It does not use ports or addresses in-band and thus should not need an ALG. > > > > Hmm, to my mind, an "ALG" is necessary if something about the protocol > > needs to be understood e.g., look for/change in-band ports or > > addresses, and possibly set up corresponding state or temporary access > > list/firewall permissions for related traffic. > > > > In the case of TFTP, it is the "TID"s: > > > > "The transfer identifiers (TID's) used by > > TFTP are passed to the Datagram layer to be used as ports; therefore > > they must be between 0 and 65,535. The initialization of TID's is > > discussed in the section on initial connection protocol." > > > > " A > > requesting host chooses its source TID as described above, and sends > > its initial request to the known TID 69 decimal (105 octal) on the > > serving host. The response to the request, under normal operation, > > uses a TID chosen by the server as its source TID and the TID chosen > > for the previous message by the requestor as its destination TID. > > The two chosen TID's are then used for the remainder of the transfer." > > Ahh, right - I forgot that TFTP doesn't stick to the same UDP port pair. > It works a bit like FTP in that it "hands off" the transfer to the > server port indicated by the server-side TID after the initial request. > > > I think a server could choose to continue to use 69 as its TID for the > > full transfer, however in my case it didn't. > > It never will. The first packet is supposed to have a destination TID of > 69 but the rest of the session uses TIDs chosen by each end. > > client sends sTID=X, dTID=69 on UDP sPORT=X dPORT=69 > > server replies with sTID=Y, dTID=X on UDP sPORT=Y dPORT=X, > which is where the rest of the transfer stays until a new TID > is selected. > > > I still remember it today > > because I was only able to get around the unpredictable TID selection > > on both ends by using just host IP addresses, which had some risks > > because it was a very coarse way of selecting "interesting" > > dial-on-demand traffic to hold the link up. > > I'm not sure what you were doing; "using just host IP addresses" doesn't > fix the issue because TFTP still wants to pick TIDs, and the UDP ports > vary when the TIDs do. > > > So if in Toerless's scenario it is stateless 1:1 translation between > > IPv4 and IPv6, then I don't think an ALG would be necessary for TFTP. > > However, if the translation is stateful because translation between > > IPv4 and IPv6 isn't 1:1, then I think an ALG is necessary to set up a > > mapping of some form. > > So first let me backtrack - TFTP requires an ALG to work through a NAT > even when the client is on the private side. The return traffic content > needs to be inspected to be able to update the private:public > translation entry. > > I.e., this won't work with stateless 1:1 *or* stateful 1:1 without an > ALG. I can't imagine how to make sense of it safely in a non-1:1 case. > > Note that the whole point of TFTP is to be used on a LAN only. It has > zero security, and it's easily possible that the translation entry could > inadvertently affect some other UDP translation entry. Actually it is to provide a *Trivial* File Transfer Protocol that works over UDP. If it was LAN only it would be LFTP. TFTP works fine over inter-continental links. Been there, done that. > Joe > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [BEHAVE] [v6ops] protocols without need for A… Owen DeLong
- Re: [BEHAVE] [v6ops] protocols without need for A… Joe Touch
- Re: [BEHAVE] [v6ops] protocols without need for A… Owen DeLong
- Re: [BEHAVE] [v6ops] protocols without need for A… Mikael Abrahamsson
- Re: [BEHAVE] [v6ops] protocols without need for A… Mikael Abrahamsson
- Re: [BEHAVE] [v6ops] protocols without need for A… Joe Touch
- Re: [BEHAVE] [v6ops] protocols without need for A… Ca By
- Re: [BEHAVE] [v6ops] protocols without need for A… Brian E Carpenter
- Re: [BEHAVE] [v6ops] protocols without need for A… STARK, BARBARA H
- [BEHAVE] protocols without need for ALG ? Toerless Eckert
- Re: [BEHAVE] [v6ops] protocols without need for A… Toerless Eckert
- Re: [BEHAVE] [v6ops] protocols without need for A… Mark Smith
- Re: [BEHAVE] [v6ops] protocols without need for A… Toerless Eckert
- Re: [BEHAVE] [v6ops] protocols without need for A… Heatley, Nick
- Re: [BEHAVE] [v6ops] protocols without need for A… Heatley, Nick
- Re: [BEHAVE] [v6ops] protocols without need for A… 🔓Dan Wing
- Re: [BEHAVE] [v6ops] protocols without need for A… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] [v6ops] protocols without need for A… Tore Anderson
- Re: [BEHAVE] protocols without need for ALG ? Michael Richardson
- Re: [BEHAVE] [v6ops] protocols without need for A… Mark Smith
- Re: [BEHAVE] [v6ops] protocols without need for A… Joe Touch
- Re: [BEHAVE] [v6ops] protocols without need for A… Mark Smith
- Re: [BEHAVE] [v6ops] protocols without need for A… Toerless Eckert
- Re: [BEHAVE] [v6ops] protocols without need for A… Tore Anderson
- Re: [BEHAVE] [v6ops] protocols without need for A… Joe Touch
- Re: [BEHAVE] protocols without need for ALG ? ietfdbh
- Re: [BEHAVE] [v6ops] protocols without need for A… Mark Andrews
- Re: [BEHAVE] [v6ops] protocols without need for A… Joe Touch