[BEHAVE] [Technical Errata Reported] RFC6146 (4756)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 02 August 2016 00:08 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 92A6112B038 for <behave@ietfa.amsl.com>; Mon, 1 Aug 2016 17:08:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.889
X-Spam-Status: No, score=-103.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2NC_Ijou7dET for <behave@ietfa.amsl.com>; Mon, 1 Aug 2016 17:08:35 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED51128E19 for <behave@ietf.org>; Mon, 1 Aug 2016 17:08:35 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 20445B806A1; Mon, 1 Aug 2016 17:08:35 -0700 (PDT)
To: marcelo@it.uc3m.es, philip_matthews@magma.ca, iljitsch@muada.com, spencerdawkins.ietf@gmail.com, ietf@kuehlewind.net, dwing@cisco.com, dthaler@microsoft.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20160802000835.20445B806A1@rfc-editor.org>
Date: Mon, 1 Aug 2016 17:08:35 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/QEI80KE_ETBmzaGn2OdSw6rt9mQ>
Cc: ydahhrk@gmail.com, behave@ietf.org, rfc-editor@rfc-editor.org
Subject: [BEHAVE] [Technical Errata Reported] RFC6146 (4756)
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 00:08:36 -0000

The following errata report has been submitted for RFC6146,
"Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers".

You may review the report below and at:

Type: Technical
Reported by: Alberto Leiva Popper <ydahhrk@gmail.com>

Section: 3.5.3

Original Text
If the NAT64 filters on its IPv4 interface, then the NAT64 checks
to see if the incoming packet is allowed according to the Address-
Dependent Filtering rule.  To do this, it searches for a Session
Table Entry with an STE source IPv4 address equal to X, an STE
ICMPv4 Identifier equal to i2, and a STE destination IPv4 address
equal to Y.  If such an entry is found (there may be more than
one), packet processing continues.  Otherwise, the packet is
discarded.  If the packet is discarded, then an ICMP error message
MAY be sent to the original sender of the packet.  The ICMP error
message, if sent, has Type 3 (Destination Unreachable) and Code 13
(Communication Administratively Prohibited).

In case the packet is not discarded in the previous processing
steps (either because the NAT64 is not filtering or because the
packet is compliant with the Address-Dependent Filtering rule),
then the NAT64 searches for a Session Table Entry (...)

Corrected Text
The NAT64 then searches for a Session Table Entry (...)

The statement "there may be more than one" is incorrect; the triplet (X,i2,Y) constitutes the whole ICMP session's v4 identifier. Considering that, the whole paragraph tends to fall apart.

The point of Address-Dependent Filtering (ADF) is to provide a means to allow or disallow IPv4-started "sibling" connections. If there is an ongoing connection whose binding state is

	BIB entry: (*,*)       <--> (T,t)
	Session: (*,*),(*,*) <--> (T,t),(Z,z)

(Left side is v6, right side is v4. This is the same notation as the RFC; see for example https://tools.ietf.org/html/rfc6146#section-3.5.1; '*' is anything/irrelevant)

Then ADF dictates whether the v4 endpoint is allowed to create the following new session (using the same BIB entry):

	Session: (*,*),(*,*) <--> (T,t),(Z,m)

(where 'z' is not equal to 'm')

ADF works in UDP/TCP because t and z/m are separate variables. This is not the case in ICMP:

	BIB entry: (*,*)       <--> (T,t)
	Session: (*,*,*)     <--> (T,t,Z)

If only one ICMP triplet can match, there is no room for "sibling" ICMP "connections" that share a "source" IPv4 identifier but not a "destination" IPv4 identifier like TCP and UDP do. The two pings will share both BIB entry and v4 endpoint address and therefore also share the session. The NAT64 is incapable of telling the two pings apart, and therefore cannot filter one of them.

There is no such thing as "Address-Dependent Filtering" on ICMP.

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

RFC6146 (draft-ietf-behave-v6v4-xlate-stateful-12)
Title               : Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers
Publication Date    : April 2011
Author(s)           : M. Bagnulo, P. Matthews, I. van Beijnum
Category            : PROPOSED STANDARD
Source              : Behavior Engineering for Hindrance Avoidance
Area                : Transport
Stream              : IETF
Verifying Party     : IESG