Re: [BEHAVE] [v6ops] protocols without need for ALG ?

Mark Smith <> Fri, 31 July 2015 23:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4B1571ACCFB; Fri, 31 Jul 2015 16:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5TXbt0vgwu4N; Fri, 31 Jul 2015 16:45:43 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7FE81ACCF4; Fri, 31 Jul 2015 16:45:43 -0700 (PDT)
Received: by iodd187 with SMTP id d187so99855310iod.2; Fri, 31 Jul 2015 16:45:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=WZATmvRdK9x4BzUljz3+Y/cS+x5yAutmbSzMqTIHHew=; b=RUCcxQ/mKN824quzhEAB1rfldNBEf/UmowzQ8mx+R72qFYr88I9WLqxgHsYbm0cdbM BNbus8ibUr+XBwb9ZtBD6QRTFvOx6/nDx4mgmPseIAeOHmwuwQdIJ/AqYE+MWOvLqbTF EgetUNtB1+B/8VDfSCptbnVhXUW61glus+MMzOJeBo1j6AQkQhHr6A4CAePxwLjZcQKy 4Oc6d+VBWJ6Lon+NREkyw2f/EMCkOME1JZqZKQFmEQX3a6PMJmhHNzmmIxSOnFCEp5ms WJP79SYw/H5t4xhWOk4s5kLvG+WfE6hz0VWhU0aooWYGyb796crqXBg4DaW9R5RSFpvC a9bg==
X-Received: by with SMTP id i80mr9209178iod.123.1438386343083; Fri, 31 Jul 2015 16:45:43 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 31 Jul 2015 16:45:13 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <6536E263028723489CCD5B6821D4B21303EEFB81@UK30S005EXS06.EEAD.EEINT.CO.UK> <>
From: Mark Smith <>
Date: Sat, 1 Aug 2015 09:45:13 +1000
Message-ID: <>
To: Joe Touch <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "" <>, v6ops list <>, "Heatley, Nick" <>, Mikael Abrahamsson <>
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 31 Jul 2015 23:45:45 -0000

On 31 July 2015 at 23:21, Joe Touch <> wrote:
> TFTP servers are typically reached at UDP port 69.
> It does not use ports or addresses in-band and thus should not need an ALG.

Hmm, to my mind, an "ALG" is necessary if something about the protocol
needs to be understood e.g., look for/change in-band ports or
addresses, and possibly set up corresponding state or temporary access
list/firewall permissions for related traffic.

In the case of TFTP, it is the "TID"s:

"The transfer identifiers (TID's) used by
   TFTP are passed to the Datagram layer to be used as ports; therefore
   they must be between 0 and 65,535.  The initialization of TID's is
   discussed in the section on initial connection protocol."

" A
   requesting host chooses its source TID as described above, and sends
   its initial request to the known TID 69 decimal (105 octal) on the
   serving host.  The response to the request, under normal operation,
   uses a TID chosen by the server as its source TID and the TID chosen
   for the previous message by the requestor as its destination TID.
   The two chosen TID's are then used for the remainder of the transfer."

I think a server could choose to continue to use 69 as its TID for the
full transfer, however in my case it didn't. I still remember it today
because I was only able to get around the unpredictable TID selection
on both ends by using just host IP addresses, which had some risks
because it was a very coarse way of selecting "interesting"
dial-on-demand traffic to hold the link up.

So if in Toerless's scenario it is stateless 1:1 translation between
IPv4 and IPv6, then I don't think an ALG would be necessary for TFTP.
However, if the translation is stateful because translation between
IPv4 and IPv6 isn't 1:1, then I think an ALG is necessary to set up a
mapping of some form.


> Joe
> On Jul 31, 2015, at 12:23 AM, Heatley, Nick <> wrote:
> Same for me.
> From: v6ops [] On Behalf Of Mark Smith
> Sent: 31 July 2015 06:40
> To: Mikael Abrahamsson
> Cc: v6ops list;
> Subject: Re: [v6ops] protocols without need for ALG ?
> On 31 Jul 2015 3:11 pm, "Mikael Abrahamsson" <> wrote:
>> On Thu, 30 Jul 2015, Owen DeLong wrote:
>>>>   SSH/SCP - OK
>>>>   syslog  - OK
>>>>   TFTP    - OK ?
>>> Should be OK, depending on which side is client. (client has to be the
>>> private address/translated side of the connection).
>> There are ALGs for TFTP from multiple vendors, and I seem to remember I
>> had problem performing TFTP download from behind a NAT, but I could be
>> mistaken. This should be investigated further.
> I'm pretty sure you'd need an ALG for TFTP over NAT, as the file transfer
> itself takes place over unspecified and unpredictable ports. This caused me
> some grief in the past when trying to have a TFTP file transfer hold up a
> dial on demand link.
> Regards,
> Mark.
>> --
>> Mikael Abrahamsson    email:
>> _______________________________________________
>> v6ops mailing list
> This e-mail (including any attachments) is intended for the above-named
> person(s).  If you are not the intended recipient, notify the sender
> immediately, delete this email from your system and do not disclose or use
> for any purpose.
> We may monitor all incoming and outgoing emails in line with current
> legislation. We have taken steps to ensure that this email and attachments
> are free from any virus, but it remains your responsibility to ensure that
> viruses do not adversely affect you.
> EE Limited
> Registered in England and Wales
> Company Registered Number: 02382161
> Registered Office Address: Trident Place, Mosquito Way, Hatfield,
> Hertfordshire, AL10 9BW
> _______________________________________________
> v6ops mailing list