[BEHAVE] Errata 4756 on RFC6146
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 16 September 2020 14:13 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF463A0989 for <behave@ietfa.amsl.com>; Wed, 16 Sep 2020 07:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkgFAdc5Dmrs for <behave@ietfa.amsl.com>; Wed, 16 Sep 2020 07:13:29 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140074.outbound.protection.outlook.com [40.107.14.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0D2E3A097F for <behave@ietf.org>; Wed, 16 Sep 2020 07:13:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gypQ2ggazZstTDgP7zLMb55m5E5AwKjcGDwXetanWFokOLdcr62hXyh+L9+XJAgwDZCdxyWJM3utP17rEuDkEm6FBD/uKfPfhmctE2lN0KWo10oBGOtG9kWyPMzV80I3YL82+/CRpoYtnF4TOw+sJ4W8H5zwzLNYrhlTh+ZTjHANh1df7YDAsbWTwXIpnzC4naRebnPxbvnP8DnlS40gT6tRMw5mdFURatAJNQ9H+maXxzXczLToYTXxw1t5RdMVTUBQ/znoL55TZZS6TTTUHofLVjbw+y9wLK5LT2fLh/kWEVoPTppwCRJ0s3qoOoLG/MAm1f13ROAfA0poT2W8iQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UxN2pCTEAXHxq7tnvQwrSjCWgY//e+tVdHDUOF1UFvs=; b=lLA4eJUGithgxgxZFdsqqM0PuKuV/KT22cgWCdkYzzQSNWX82NuNgZxBEogk8OjIEN0Gohb67hZg6sf2b9mbXZf1ZHAaZv5QDHOokhgy0udVCUEH2KxogQJ9/SMpC1AoXQ416wyyIKcQIdwjm49J26FQqV87j6YStCWha2GFTOw1dYxCQpMzQiGiOTdOdqWaNBnnZQ4kkyHiBdQgaKEcdxcYyj4Dxhg3C/zA0w3y2MrL5p/I1HQscgBs4SzDRhmHp57Yy9rQKmZbFSYJaAIefDI91Iuu7PjlfcG+5eAPDdd3JEW2YtAKppxmhX89+x8GNeim/2DWCTb7hV+I/Y2sRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UxN2pCTEAXHxq7tnvQwrSjCWgY//e+tVdHDUOF1UFvs=; b=HKfXfPvw3WxWuH9S8BMV8nsoZdHSzYc0rRk1KX4EiwMiCPG+HuUQt078kYoGf8DxE1LaIJjdOFLJqxc/lrY/93l6afrz1Nkc6VqV12uSWU2y+1LEN3Y129G7s8akRbfbbfLzG0RwyY49sgI0H2TU6pcQ769gasshVRuUhPcnoPE=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3706.eurprd07.prod.outlook.com (2603:10a6:7:8d::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.8; Wed, 16 Sep 2020 14:13:17 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc%6]) with mapi id 15.20.3391.009; Wed, 16 Sep 2020 14:13:17 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "behave@ietf.org" <behave@ietf.org>
Thread-Topic: Errata 4756 on RFC6146
Thread-Index: AQHWjDOG2LWRkpZpPUS6VqQRFE7q/w==
Date: Wed, 16 Sep 2020 14:13:17 +0000
Message-ID: <7e2ea78a53f35771dfbf3ecd7dd7951160443356.camel@ericsson.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.116.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b2702699-188d-4e41-a78c-08d85a4aa8c9
x-ms-traffictypediagnostic: HE1PR0702MB3706:
x-microsoft-antispam-prvs: <HE1PR0702MB3706783936C8827C83E8363395210@HE1PR0702MB3706.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ze1EHfXibrZ+8ZTFkclFi+/1FVjVScBF3gdVXDd2Ct7p04u2MawGkmlzJWbQ5rQkwSGRhUKCNKuG12m2Tul1zAsnqbJsL2z2Ma0psf0Cmbte4H9qNw4ScnvrVuM6Pz6QghaWW9bLOEfnV/u78p8IG0OO9S6G7Sd+83d5DMv0XXe+ipsYD2aDL0Ju/fYierI6g6R0obFU/g6dEH6OYlv6Apibebp9bD2XxUu2PHoLL4R/2jkbrrXdxZh+embg7/nng/4UMdNasQT3sKgyVVMksTHU09AvrQClZvyVi3WQidML3701XD1sdrJkr39reG/IuZc9GkxG6HeZ26NzuJsJLgaH1XTHFVPEgC5urndr7CBmwLw0BkR4wujIxmEcwjYiOPV2moNs0KI1BaIOGAd7XV8cTDUuW1gLUHZNwqxe1PFusl59G56S0NNEw8Bh8D5UMLKR+9RPE65xuFV6Twjmog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(376002)(39860400002)(346002)(366004)(6916009)(6512007)(2616005)(66446008)(66946007)(44832011)(76116006)(71200400001)(83380400001)(66556008)(64756008)(66476007)(26005)(6506007)(966005)(316002)(478600001)(5660300002)(2906002)(36756003)(8676002)(186003)(86362001)(7116003)(8936002)(6486002)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ln7lqXQOdkPGpLbDfxheouXkDD6sKyg5obZkvoUAWhecvZ1CGyGQHiZU8RvqgFfjXCk6EqtsnUW13Y6Mgs1vxuMony9WNMoEqFGzLhTd9UM6bOPebPFSyWDLvTKJStwfbGQUMs7Mjl6n9guhA4nYT3BqAEn7qUeFtyXzMx4S2Z2RSkiDgSF6jII3l4SEMCnjMBBS4wmraSsjyZyc3AjyM2sIADjh2F4VIWon5kmoCz1dbeKZK+mtE2FnOPck/FQEDIfcvgswJ/Tu+B6XkQ9OFdMGwB8RIX525PWG2Bz+hmXp33IgAbZxZgL6aBzeE2QP9D7so3zWicyXc/u3/LpYslEu0Sy4TwlQ82kbHVehfp0qeo8mU+cMkTTpZYZ3dk7mO6CjscwXEzKA6X0wjrXB6LuNvgmv3FKSEtI3FbD7J0tp0G2+GtmfioyA/xM9Ex9su/SvM/cFslHmaSREFrf+2q5UnC7dcem/3IYMhPZMj9TUemI40x7wt6zMA3ZCJgP9HHsJYbuS6L21GoeYU/6NbJ6xdjiAbuNXMg8THPHxn9ElCswMPcTJomHJEnCxP2liwGBqMrras4J2h4ITRhbf6emECeQ/A9JFfb8ciJP/mwEivU48NDNmYMs+oq5pv0dXynQOAcXnu+0oz4JqQREcWg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <53C761571D2E60449D6BECFB2CE4E504@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b2702699-188d-4e41-a78c-08d85a4aa8c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2020 14:13:17.7913 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uq3aJH4lNxpQf1bv4XmNwwqHW6CXOgXnIU+jOgvb6FLRsp4ktJDc3kbHP1KEWMhQPfRTsGVRLGP0gQnhMnVUvGzJYNvaoylQOUBFZBd6uhw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3706
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/NQI5Iu77bv4FoYUztEWAm5xcoVE>
Subject: [BEHAVE] Errata 4756 on RFC6146
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 14:13:31 -0000
Hi, I am tring to conclude on any remainig errata on BEHAVE WG RFCs. One of the reported one is on RFC 6146: https://www.rfc-editor.org/errata/eid4756 I would appreciate input on how to resolve this one. I got the impression that the report are right on the key-aspect that there can't be multiple STE entries. However, I think there would be more work here on clarifying what is actually wrong and what is maybe unclear. To me this looks like a Hold for Document update. Else the errata needs clarification and reformulation. Errata ID: 4756 Status: Reported Type: Technical Publication Format(s) : TEXT Reported By: Alberto Leiva Popper Date Reported: 2016-08-02 Section 3.5.3 says: If the NAT64 filters on its IPv4 interface, then the NAT64 checks to see if the incoming packet is allowed according to the Address- Dependent Filtering rule. To do this, it searches for a Session Table Entry with an STE source IPv4 address equal to X, an STE ICMPv4 Identifier equal to i2, and a STE destination IPv4 address equal to Y. If such an entry is found (there may be more than one), packet processing continues. Otherwise, the packet is discarded. If the packet is discarded, then an ICMP error message MAY be sent to the original sender of the packet. The ICMP error message, if sent, has Type 3 (Destination Unreachable) and Code 13 (Communication Administratively Prohibited). In case the packet is not discarded in the previous processing steps (either because the NAT64 is not filtering or because the packet is compliant with the Address-Dependent Filtering rule), then the NAT64 searches for a Session Table Entry (...) It should say: The NAT64 then searches for a Session Table Entry (...) Notes: The statement "there may be more than one" is incorrect; the triplet (X,i2,Y) constitutes the whole ICMP session's v4 identifier. Considering that, the whole paragraph tends to fall apart. The point of Address-Dependent Filtering (ADF) is to provide a means to allow or disallow IPv4-started "sibling" connections. If there is an ongoing connection whose binding state is BIB entry: (*,*) <--> (T,t) Session: (*,*),(*,*) <--> (T,t),(Z,z) (Left side is v6, right side is v4. This is the same notation as the RFC; see for example https://tools.ietf.org/html/rfc6146#section-3.5.1; '*' is anything/irrelevant) Then ADF dictates whether the v4 endpoint is allowed to create the following new session (using the same BIB entry): Session: (*,*),(*,*) <--> (T,t),(Z,m) (where 'z' is not equal to 'm') ADF works in UDP/TCP because t and z/m are separate variables. This is not the case in ICMP: BIB entry: (*,*) <--> (T,t) Session: (*,*,*) <--> (T,t,Z) If only one ICMP triplet can match, there is no room for "sibling" ICMP "connections" that share a "source" IPv4 identifier but not a "destination" IPv4 identifier like TCP and UDP do. The two pings will share both BIB entry and v4 endpoint address and therefore also share the session. The NAT64 is incapable of telling the two pings apart, and therefore cannot filter one of them. There is no such thing as "Address-Dependent Filtering" on ICMP. --- End of Errata --- -- Cheers Magnus Westerlund ---------------------------------------------------------------------- Networks, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Mobile +46 73 0949079 Torshamnsgatan 23 | SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [BEHAVE] Errata 4756 on RFC6146 Magnus Westerlund