[BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis
ivan c <ivan@cacaoweb.org> Sun, 16 June 2013 19:13 UTC
Return-Path: <ivan@cacaoweb.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C09221F9B10 for <behave@ietfa.amsl.com>; Sun, 16 Jun 2013 12:13:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0G6w26GN+rb8 for <behave@ietfa.amsl.com>; Sun, 16 Jun 2013 12:13:28 -0700 (PDT)
Received: from mail.cacaoweb.org (mail.cacaoweb.org [46.105.102.78]) by ietfa.amsl.com (Postfix) with ESMTP id BCA9621F9B12 for <behave@ietf.org>; Sun, 16 Jun 2013 12:13:27 -0700 (PDT)
Received: from www-data by mail.cacaoweb.org with local (Exim 4.72) (envelope-from <ivan@cacaoweb.org>) id 1UoIP2-0006zX-HO for behave@ietf.org; Sun, 16 Jun 2013 21:14:16 +0200
To: behave@ietf.org
X-PHP-Originating-Script: 0:func.inc
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_53505bc5841078ca128b127b021f622a"
Date: Sun, 16 Jun 2013 21:14:16 +0200
From: ivan c <ivan@cacaoweb.org>
Organization: cacaoweb
Message-ID: <3a724be2431cf7249b3d46cf378f85bf@cacaoweb.org>
X-Sender: ivan@cacaoweb.org
User-Agent: RoundCube Webmail/0.3.1
Subject: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ivan@cacaoweb.org
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jun 2013 19:28:49 -0000
Hello, This is my review of draft-penno-behave-rfc4787-5382-5508-bis [1], which is indeed a step in the right direction and corrects omissions and unspecified behaviors left by previous documents. I support its adoption as a working group document. * 3.1.2.1. Rewrite timestamp and sequence number values at NAT Requiring NATs to rewrite timestamps and ISNs seems overkill. Generally, mangling with the TCP protocol header other than by rewriting the source endpoint should not be done by NATs. On the other hand, improving the current situation regarding the TIME_WAIT state by carefully designed filtering rules without altering the TCP header seems acceptable. * 4. Port overlapping behavior This is becoming a pressing issue due to increase deployment of CGNs for IPv4 worldwide. As far as I know, the traditional term to describe this behavior is "port overloading". The term overlapping refers to when two sets have a non empty intersection (they are said to be "overlapping" sets). Overloading is the correct term and was previously used in RFC5382 and RFC4787. Port overloading is problematic for UDP, as P2P applications generally multiplex several UDP communications over the same socket. The probability that two internal peers communicate to the same remote endpoint can be non-negligeable, depending on the number of UDP communications and characteristics intrinsic to the p2p application. See Birthday Paradox. For TCP, this problem does not arise nrealy as much as there is a one-to-one mapping between sockets and TCP communications (POSIX does not allow to bind multiple sockets to the same local endpoint for outbound connections). Thus the probability for conflict is much lower. [RFC5382] REQ-1 indeed requires EIM, but it is important to note that the EIM behavior is required by applications that rely on a POSIX "hack", that is the set up of the SO_REUSEADDR option on the socket to bind two successive outbound connections on the same local endpoint. This hack is controversial and thus [RFC5382] REQ-1 is subject to controversy, for the following reasons: SO_REUSEADDR behavior is left unspecified by POSIX. SO_REUSEADDR is generally implemented by OSes to bypass the TIME_WAIT state for network servers. It violates TCP quiet time, TIME_WAIT and can lead to data corruption. It should generally only be used by listening servers, not client making outbound connections. Its use is discouraged in production for listening servers. RFC 6528. A correct way to achieve TCP port prediction (which is what [RFC5382] REQ-1 is really about without saying it) without relying on POSIX hacks is to require the NAT to be port-preserving. Port prediction is straightforward in the case of port preservation. It also works nicely with port overloading, and allows p2p applications to work without the need of a third party public server for each TCP communication instantiation. Thus it allows NAT traversal for fully decentralized p2p applications. Most NATs in the wild implement TCP port preservation for this reason. * End of page 8 The external references provided point to a website written only in japanese. It would be nice to provide a pointer to the english version of these web pages. * 6. EIF Security Indeed, EIF poses security concerns. At the very least, use of Address-Dependent Filtering should be recommended. Applications requiring EIF to function are clearly badly designed and it is not the role of an RFC to support incorrect designs. * 7. EIF Protocol Independence Do you have any reasonable use for this? In other words, a situation where to punch a UDP hole in a NAT, you want to send a TCP SYN first? (If that's the case, why not sending a UDP packet instead of a TCP SYN...?). If not, it would be cleaner in my opinion to leave this requirement out. If yes, it would be nicer to describe the real-world use, as i'm sure most of us are not familiar with it. * 8. EIF Mapping Refresh (This really only applies to UDP. For TCP, NATs simply keep the mapping as long as the connection is considered on from TCP point of view.) Agreed, [RFC4787]: REQ-6 is too liberal regarding mapping refreshes. It would be better to recommend Address-Dependent Filtering and Address-Dependent mapping refreshes. 8.1 Agreed, this point has definitely been overlooked too by RFC5382 * 9. EIM Protocol Independence Agreed * 11. Port Randomization Agreed, although it doesn't alleviate the fact the port randomization should be implemented by the client OS in the first place. The NAT role is not to harden TCP security. And as you note, this cannot be implemented if the NAT is TCP port preserving, which makes up the majority of NATs in the wild. -- _Ivan C._ Links: ------ [1] http://www.ietf.org/mail-archive/web/behave/current/msg10831.html
- [BEHAVE] review of draft-penno-behave-rfc4787-538… ivan c
- Re: [BEHAVE] review of draft-penno-behave-rfc4787… Reinaldo Penno (repenno)
- Re: [BEHAVE] review of draft-penno-behave-rfc4787… Kengo Naito
- Re: [BEHAVE] review of draft-penno-behave-rfc4787… ivan c
- Re: [BEHAVE] review of draft-penno-behave-rfc4787… Kengo Naito
- Re: [BEHAVE] review of draft-penno-behave-rfc4787… Washam Fan