IETF Logo Mail Archive

Re: [BEHAVE] General Comments on xlate-stateful-07

Reinaldo Penno <rpenno@juniper.net> Tue, 05 January 2010 13:47 UTC

Return-Path: <rpenno@juniper.net>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17D7E3A68DA for <behave@core3.amsl.com>; Tue, 5 Jan 2010 05:47:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yzlg9LIIuVDR for <behave@core3.amsl.com>; Tue, 5 Jan 2010 05:47:35 -0800 (PST)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by core3.amsl.com (Postfix) with SMTP id 0921D3A63C9 for <behave@ietf.org>; Tue, 5 Jan 2010 05:47:31 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKS0NC8k8jdOo5Nzx6x9xyezLXkP2EZdGe@postini.com; Tue, 05 Jan 2010 05:47:34 PST
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.1.393.1; Tue, 5 Jan 2010 05:44:01 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::8002:d3e7:4146:af5f]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Tue, 5 Jan 2010 08:44:00 -0500
From: Reinaldo Penno <rpenno@juniper.net>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>, Reinaldo Penno <rpenno@juniper.net>
Date: Tue, 05 Jan 2010 08:43:57 -0500
Thread-Topic: General Comments on xlate-stateful-07
Thread-Index: AcqL4U/LdSxgeqBUSIugcY5d5vVeyQCK9ELv
Message-ID: <C768821D.E162%rpenno@juniper.net>
In-Reply-To: <4B3F9D97.9080303@it.uc3m.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-Entourage/13.0.0.090609
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF, BEHAVE WG <behave@ietf.org>, Dave Thaler <dthaler@microsoft.com>, Dan Wing <dwing@cisco.com>
Subject: Re: [BEHAVE] General Comments on xlate-stateful-07
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2010 13:47:36 -0000

Hi,

As a larger editorial note, I would suggest having a clear and concise
requirements section like previous behave documents. Also a summary of any
REQs that each normative section introduces.

I provided the requested information inline...

On 1/2/10 11:25 AM, "marcelo bagnulo braun" <marcelo@it.uc3m.es> wrote:

> Hi,
> 
> thanks for the review.
> 
> one question about your comments
> 
> Reinaldo Penno escribió:
>> These are some general issues I feel need to be addresses before this draft
>> is published as a RFC:
>> 
>> 1 - Compliance with the previous BEHAVE RFCs seem not to have been examined
>> in detail. The draft states that:
>> 
>> " NAT64 as specified in this document is compliant with the
>>       recommendations for how NATs should handle UDP [RFC4787], TCP
>>       [RFC5382], and ICMP [RFC5508]..."
>> 
>> But reading NAT64 it seems we are not compliant with these documents. There
>> are differences in terms on how certain protocol are handled, MAYs vs.
>> SHOULDs vs. something new, etc.
>> 
>>   
> 
> do you have specfic points were the behave requirements are not
> complied? (i mean have you describe those in you detailed review you
> sent before?) If not, could you point exaxtly what behave requirements
> you think are not complied?

Sure, I included some comments in the detailed review and these are a subset
of other issues I collected while going through the spec in relation to
RFC5382. 

REQ-3: In NAT64 it is not clear the flexibility discussed in subsection a)
and b) are possible or required.

REQ-4: In NAT64 there is no SYN RCVD state in the proposed TCP state machine
and therefore you seem to be moving into ESTABLISHED state too early.

REQ-4: In the NAT64 spec it is not clear on what happens after the lifetime
expires in the case of simultaneous open. RFC5382 talks about sending ICMP
unless subsection a) applies

REQ-5: In NAT64 the ability to reap idle sessions early if the NAT can
determine if the endpoints are still alive is lost. Moreover, the ability to
configure the idle-timeout is also missing.

REQ-5: In the NAT64 spec the considerations on NAT throughput performance
due to holding session state for TCP RST and TIME_WAIT assassinations due to
holding session state are not discussed.

REQ-5: In the NAT64 spec the transition from ESTABLISHED to CLOSING (or FIN
WAIT-2) and FIN WAIT-1 is all bundled together so it is not clear when  and
who should start the TIME_WAIT timer (active vs. passive close).

REQ-6: In the NAT64 spec the considerations for ALGs seems to be missing.
Moreover needs text on how to reconcile the recommendation to have FTP ALG
enabled and the new specs.

There may be others after a more in-depth analysis. In general I think the
TCP state machine should be moved to a non-normative section or removed and
substituted by text covering only the really important aspects as in RFC5382
(which could be used almost verbatim). Otherwise I think more work is needed
in specifying it. 

A similar analysis of REQs found in other documents (including surrounding
text) should be done.

For example, in the case of RFC5508:

REQ-9: A clear statement such as the one found in REQ-9 seem to be missing
from the ICMP handling section.

REQ-10: Same as above. A concise section instead of many pages of discussion
helps furthering the understanding of the specification.

>> Therefore a proper analysis is needed of every REQ point. This would greatly
>> benefit the WG and make the document much clearer.
>> 
>>   
>> 2 - Implementation specific behavior
>> 
>> The draft accidently specifies implementation specific behavior under the
>> umbrella of ease of description, example, etc. Although existing
>> descriptions or examples are very nice, they might cause confusion (they
>> seem to already do given other emails on the list).
>> 
>> Therefore I would suggest anything that is not normative within the
>> normative section needs to be moved to an appendix or text stating beyond
>> doubt that something is just an example and developers are free as long as
>> external behavior is the same.
>> 
>>   
> same question than above, have you pointed out exactly what text you
> propose to move out of the normative descrtition?
> 

I included them in the detailed review: Data structures in general, TCP
state machine, etc

>> 3 - Security
>> 
>> The security section is very light at this point. There are many documents
>> pertaining to NAT security in general that should be referenced or more text
>> needs to be there.
>> 
>>   
> Do you have any concrete text or issues that should be covered in the
> security section?

Some of comments pertaining to the analysis of REQs early in this email also
have a security component to it and I included others in my detailed review:
TCP RST, holding state, timers, etc.

Moreover, the way the UDP and TCP handling is specified basically disallows
building a more secure NAT implementation on top of it (more on it below).
And this goes back to first point in relation to differences between
previous behave documents and this one.

For example, important security considerations related to inbound packets
resetting the timers of sessions (RFC4787) are missing.

"  This document recommends that the timers for mapping be refreshed on
   outgoing packets (see REQ-6) and does not make recommendations about
   whether or not inbound packets should update the timers.  If inbound
   packets update the timers, an external attacker can keep the mapping
   alive forever and attack future devices that may end up with the same
   internal address. "

The NAT64 spec allows inbound packets by default to reset the timer in
normal UDP packet handling and also in the case of TCP, TCP RST, etc. This
is a important practical considerations that secure NAT implementations take
into account.

> 
> Regards, marcelo
> 
>> Misc Item:
>> 
>> 4 - The use X', T, t and others... I do not know the history behind this
>> nomenclature but I would suggest something more intuitive such as S-IPv6,
>> D-IPv6, etc. 

How about this one? Can actual addresses be used in section 1.2.2? Or some
other nomenclature?

Thanks,

Reinaldo

>> 
>> Thanks,
>> 
>> Reinaldo
>> 
>> 
>> 
>> 
>> 
>> 
>>   
>

v2.39.1 | Report a Bug | By Email | System Status