Re: [BEHAVE] [v6ops] protocols without need for ALG ?

Joe Touch <touch@isi.edu> Wed, 05 August 2015 16:59 UTC

Return-Path: <touch@isi.edu>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9821A854D; Wed, 5 Aug 2015 09:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.71
X-Spam-Level:
X-Spam-Status: No, score=-5.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_41=0.6, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EiVs-PTwLqus; Wed, 5 Aug 2015 09:59:19 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C4FC1A6FE7; Wed, 5 Aug 2015 09:59:19 -0700 (PDT)
Received: from [128.9.160.211] (mul.isi.edu [128.9.160.211]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id t75GvHDp022626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 5 Aug 2015 09:57:19 -0700 (PDT)
To: Mark Andrews <marka@isc.org>
References: <20150730205806.GI1667@cisco.com> <33A0B18B-5C9D-4DC3-9E0B-736D7ECA404F@delong.com> <alpine.DEB.2.02.1507310706240.11810@uplift.swm.pp.se> <CAO42Z2zH4A71B82TL3=tbagqXU1mbnt4eMDFGmuVa94gAj2-vA@mail.gmail.com> <6536E263028723489CCD5B6821D4B21303EEFB81@UK30S005EXS06.EEAD.EEINT.CO.UK> <D99CCE3A-B396-4ED3-96BD-E9A9E92B2EDE@isi.edu> <CAO42Z2zy4MjGyHYAoRnV3-G_Y3qELHtEpL+c+eOH3h05w3rXmQ@mail.gmail.com> <55BC16EB.8060007@isi.edu> <20150805083634.4CF0C3429549@rock.dv.isc.org>
From: Joe Touch <touch@isi.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <55C2406D.8000706@isi.edu>
Date: Wed, 5 Aug 2015 09:57:17 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <20150805083634.4CF0C3429549@rock.dv.isc.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/behave/WEmFG9MFGahjD-dUru9138LMqaw>
Cc: v6ops list <v6ops@ietf.org>, "behave@ietf.org" <behave@ietf.org>, Mark Smith <markzzzsmith@gmail.com>, touch@isi.edu
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 16:59:21 -0000


On 8/5/2015 1:36 AM, Mark Andrews wrote:
> In message <55BC16EB.8060007@isi.edu>;, Joe Touch writes:
>> Hi, Mark,
>>
>> On 7/31/2015 4:45 PM, Mark Smith wrote:
>>> On 31 July 2015 at 23:21, Joe Touch <touch@isi.edu>; wrote:
>>>> TFTP servers are typically reached at UDP port 69.
>>>>
>>>> It does not use ports or addresses in-band and thus should not need an ALG.
>>>
>>> Hmm, to my mind, an "ALG" is necessary if something about the protocol
>>> needs to be understood e.g., look for/change in-band ports or
>>> addresses, and possibly set up corresponding state or temporary access
>>> list/firewall permissions for related traffic.
>>>
>>> In the case of TFTP, it is the "TID"s:
>>>
>>> "The transfer identifiers (TID's) used by
>>>    TFTP are passed to the Datagram layer to be used as ports; therefore
>>>    they must be between 0 and 65,535.  The initialization of TID's is
>>>    discussed in the section on initial connection protocol."
>>>
>>> " A
>>>    requesting host chooses its source TID as described above, and sends
>>>    its initial request to the known TID 69 decimal (105 octal) on the
>>>    serving host.  The response to the request, under normal operation,
>>>    uses a TID chosen by the server as its source TID and the TID chosen
>>>    for the previous message by the requestor as its destination TID.
>>>    The two chosen TID's are then used for the remainder of the transfer."
>>
>> Ahh, right - I forgot that TFTP doesn't stick to the same UDP port pair.
>> It works a bit like FTP in that it "hands off" the transfer to the
>> server port indicated by the server-side TID after the initial request.
>>
>>> I think a server could choose to continue to use 69 as its TID for the
>>> full transfer, however in my case it didn't.
>>
>> It never will. The first packet is supposed to have a destination TID of
>> 69 but the rest of the session uses TIDs chosen by each end.
>>
>> 	client sends sTID=X, dTID=69 on UDP sPORT=X dPORT=69
>> 	
>> 	server replies with sTID=Y, dTID=X on UDP sPORT=Y dPORT=X,
>> 	which is where the rest of the transfer stays until a new TID
>> 	is selected.
>>
>>> I still remember it today
>>> because I was only able to get around the unpredictable TID selection
>>> on both ends by using just host IP addresses, which had some risks
>>> because it was a very coarse way of selecting "interesting"
>>> dial-on-demand traffic to hold the link up.
>>
>> I'm not sure what you were doing; "using just host IP addresses" doesn't
>> fix the issue because TFTP still wants to pick TIDs, and the UDP ports
>> vary when the TIDs do.
>>
>>> So if in Toerless's scenario it is stateless 1:1 translation between
>>> IPv4 and IPv6, then I don't think an ALG would be necessary for TFTP.
>>> However, if the translation is stateful because translation between
>>> IPv4 and IPv6 isn't 1:1, then I think an ALG is necessary to set up a
>>> mapping of some form.
>>
>> So first let me backtrack - TFTP requires an ALG to work through a NAT
>> even when the client is on the private side. The return traffic content
>> needs to be inspected to be able to update the private:public
>> translation entry.
>>
>> I.e., this won't work with stateless 1:1 *or* stateful 1:1 without an
>> ALG. I can't imagine how to make sense of it safely in a non-1:1 case.
>>
>> Note that the whole point of TFTP is to be used on a LAN only. It has
>> zero security, and it's easily possible that the translation entry could
>> inadvertently affect some other UDP translation entry.
> 
> Actually it is to provide a *Trivial* File Transfer Protocol that
> works over UDP.  If it was LAN only it would be LFTP.  TFTP works
> fine over inter-continental links.  Been there, done that.

It *can* work anywhere, but its lack of security and congestion control
are good reasons not to use it outside protected environments.

Further, it was "trivial" back when TCP was thought to be comparatively
huge; reasonable implementations of TCP are very small and memory isn't
anywhere near as limited.

Joe