[Ietf-behave] Minutes from Dallas
"Dan Wing" <dwing@cisco.com> Wed, 19 April 2006 23:14 UTC
From: Dan Wing <dwing@cisco.com>
Date: Wed, 19 Apr 2006 16:14:33 -0700
Subject: [Ietf-behave] Minutes from Dallas
Message-ID: <01f801c66407$045e5ec0$8b82200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain
Minutes, BEHAVE WG at IETF 65 Minutes edited by Dan Wing based on notes by Spencer Dawkins Meeting chaired by Dan Wing Thursday, March 23, 2006, 13:00-15:00 ------------------------------------- Topic: Agenda and Chair Update (Chairs, 15 min) It was announced that Jiri Kuthan was stepping down as chair, and Dan Wing is the new co-chair (with Cullen Jennings). The new ADs, Magnus Westerlund and Lars Eggert, were introduced. The agenda was accepted as-is. ----- Topic: TCP Issues (Saikat Guha, 30 min) draft-ietf-behave-tcp-00 Saikat presented the draft. This is a revision of hoffman-03 draft, including comments from last meeting and the mailing list. This draft is now a WG item. The TCP draft describes NAT behavior to allow simultaneous open so that two hosts behind their own NATs can establish a TCP connection. Open issues: * Req-3, "MUST support inbounc SYN/3-way from specific endpoints (handle full cone or restrictive cone behavior)", generated some discussion. Jonathan asked if this requirement was just for SYN, and Saikat agreed it was and the next version of the draft would reflect this. Philip Matthews asked if we wanted same filtering behaviors for TCP and UDP. Discussion concluded that the TCP filtering behavior needed to be IP address dependant, but shouldn't be TCP port dependant, to allow for a BEHAVE- compliant NAT to talk with a non-BEHAVE-compliant NAT which changes the ephemeral TCP port. * REQ-5 - timeouts. Cullen asked if REQ-5 could specify an absolute minimum so applications could do keepalives just faster than this minimum. Cullen pointed out this was done in the UDP draft. Magnus asked if there was a DoS problem with keeping NAT bindings alive for hours if the host had crashed. Philip Matthews pointed out the UDP draft didn't discuss what should occur when the NAT "fills up" -- deleting the most recently used is exactly the wrong behavior from application view since the failures look random. Cullen said such decisions were up to vendors. Magnus said security implications of any such behavior should be considered. Philip suggested that applications want consistent behavior, and that is what we need to rely on. Francois - too late to recommend behavior for UDP, but TCP may be different - need to discuss this on list Lars suggested the principle of least astonishment would be good. Also - 2 hours is when TCP keepalive occur, and TCP keepalives are optional - if you don't use TCP keepalives, connection could be open and silent for years. No good answer that gives consistent behavior. Question was raised if TCP ALGs are in scope, such as FTP ALG. Consensus in the room is they are out of scope unless there is a compelling reason to make them in scope. Dan pointed out that Internet Explorer's FTP client doesn't use Passive mode (which is inaccurate as of 2004, <http://support.microsoft.com/?kbid=309816>, dwing). A hum was taken that the FTP ALG is turned off by default. Hums were 'yes' with some opposed. All other TCP ALGs were decided to be off by default. ----- STUN Issues (Jonathan Rosenberg, 25 min) draft-ietf-behave-rfc3489bis-03 Dan is now a co-author. This version is more than a minor revision. "STUN Usages" are now defined, and four usages are defined in RFC3489bis, discovery, connectivity check, NAT keepalives, short-term password. TURN is a separate draft that defines its own STUN Usage. A small number of people have implemented shared secret mechanism, short-term password would be simpler RFC3489bis removed all attributes to determine NAT types. Discussion briefly touched on disconnect between sip-outbound and rfc3489bis; these will be resolved by the respective authors. Open issue: fate of type-determination attributes? Proposal is to create separate "diagnostic usage" I-D, if we can find a stuckee, alternative is to back-reference RFC 3489. Derek McDonald agreed to author this draft. Philip Matthews suggested keeping diagnostics for P2P-SIP, even if it's not entirely accurate. Dan pointed out some NATs change behavior as they run out of resources, and Cullen pointed out that STUN server needs two IP addresses to do the diagnostics checks. Open issue: whether to send/receive TLS - use NAPTR? SIP used NAPTR, but client knows exactly what it needs in this case -- factor in usages (different ports for relays, etc.) Proposal - SRV record looks like _useage_.transport.domain There was some discussion; Jonathan will up the SRV proposal and post it. Jonathan requested help on failover behavior. This behavior is usage-specific (for example, NAT keepalive behavior is different from connectivity check). Cullen said server that is "half up" seems unlikely, don't use this as a requirement (although it will happen). Who has read? About half the room. Default STUN port, decision was Jonathan would request one from IANA. Aki asked by IPv6 was added; it's for v4/v6 transition (Gonzolo's draft) ----- Topic: TURN Issues (Jonathan Rosenberg, 20 min) draft-ietf-behave-turn-00 draft-camarillo-midcom-turn-ipv6-00 This draft replaces Jonathan's previous individual submission. It is now a WG item. Jonathan explained this draft has More changes than STUN, reflecting TURN's relative maturity Many things moved from TURN to rfc3489bis. Set Active Destination rewritten, unified TCP and UDP, Send is an indication, not a request, allow set active destination even if you've never been there. MAPPED-ADDRESS is server-reflexive, added RELAY-ADDRESS for relayed address, added requests for port attributes (specific port, port parity, contiguity port requests) Francois asked by TURN didn't support getting two ports at once? Jonathan explained it's because TURN exists to traverse NATs, and if you don't send a packet to the TURN server, the TURN server won't be able to get through your NAT. Francois asked how bad the 'port parity' request is this for TURN server? Jonathan explained it's merely a hint for the TURN server to keep an adjacent port available and is no worse than what a client does today for RTP port parity. Biggest change requested is that requests can now befor a specific IP addresses (useful for tcp stun, more than 64K clients), specific transports, permissions set on send and set active destination operations It was pointed out the RTCP SDP attribute (RFC3605) removes parity requirement, but Jonathan said there are RFC3605-unaware endpoints which need port parity. Jonathan will include text to this effect in the next version of the draft. Other changes - New Connect request for opening TCP connections, TCP connections NOT opened from ephemeral ports, closing TCP connections from external host do not release allocation (open multiple connections from an allocated address). Allocated lifetimes refreshed ONLY by Allocate request, not data flow. Hokey mechanism for dealing with connection setups that take longer than STUN transaction Lars - why don't I just wait until something succeeds or fails? If timeouts were set correctly, this wouldn't be an issue. Added example, overview of operations It was asked if one side of the connection could be closed. Jonathan agreed to think about this; it may make sense. Open issue - disambiguation (was skipped over during presentation for time concerns) Open issue - XOR of other addresses? Jonathan doesn't think this is needed, because NATs are looking for their own addresses. A discussion ensued around XOR-MAPPED-ADDRESS. Conclusion was to not XOR the TURN addresses. Open issue - allocate identification. Problem is when NATs reboot. If refresh comes over new flow, will update mapping to point to new flow. Open issue - demux over TCP. Server needs to look at bytes 5-8 (magic cookie), and server doesn't know framing protocol, doesn't actually know how to do demux when you don't know framing protocols (ex. Jabber requires full XML parsing to identify start/end). Could signal this, but it's a non-starter. "Do cookie hunt" in TCP until you find the cookie? Not at line rate, need timers (so introduce more jitter), danger of four-byte collisions (2**32 collisions in gigabyte files not too unlikely). Always use send and indication? Problem is overhead - no unencapsulated data. Lightweight demux (32-bits, 8 bit type, 24-bit length)? STUN and Data types. Propose that we use this for UDP, too, and evoid need for cookie check. The consensus in the room is this framing was good for TCP; not sure about UDP. Open issue - 32-bit alignment - TURN is 32-bit aligned, but data isn't - pad for 32-bit alignment? Jonathan agreed to put this in. ----- Topic: Multicast Draft (Dan Wing, 10 min) draft-ietf-behave-multicast-01 draft-ietf-magma-igmp-proxy-06 Magma draft has already passed IESG review. Will drop the behave draft and let it expire. Cullen - looks close, but if we give MAGMA draft to NAT vendors they will be confused. Make behave draft just point to MAGMA draft, point-by-point? Francois - how would anyone else figure this out in the first place. Is there an existing document where we can include the pointer? Philip pointed out that the MAGMA draft is in RFC Editor queue and we can't squeeze in a change of this size in AUTH-48. Dan said he would ask the list for suggestions. ----- Topic: ICMP Draft (Saikat Guha, 20 min) draft-srisuresh-behave-nat-icmp-01 The ICMP draft is an adjunct to the TCP and UDP drafts that we already have. Saikat: Draft describes five requirements: 1. same thing with timeouts as UDP/TCP, namely administrator- configured timeout. Want feedback from BEHAVE. Cullen asked what applications beyond ICMP PING and ICMP traceroute need this draft. Saikat agreed with Cullen, but said some ICMP errors are useful. Francois suggested we make sure something is broken before we take this as a WG item. Saikat skipped to end of presentation, asking room to adopt this as WG item. Philip Matthews (?) said the document is important if vendors screw up ICMP, or ICMP needs more predictable behavior. Saikat said the UDP and TCP documents identified what needs to change, at minimum, to make UDP and TCP work. For ICMP, we're less sure what those problems are. Continuing with the five requirements: 1. PING sends an echo request, next PING goes to a different mapping; what default timeout should exist for the mappings? Magnus - should give consideration to using Maximum Segment Lifetime. 2. NAT MUST NOT modify ICMP 'type' values. Saikat asked if anyone was familiar with a NAT that actually had this behavior, and if we should mention this in the draft. Magnus said perhaps it should stay in the draft. Cullen said he hadn't seen a NAT that does this. Francois asked if this requirement is trying to say "must not block ICMP?". Saikat said this wasn't related to filtering ICMP, but rather was related to changing the contents of the ICMP packet. Saikat suggested we remove this from the document. Dan asked that this be brought to the mailing list. 3. Outbound ICMP messages need to have their IP source rewritten to the NAT's public IP address. Dan - ingress filtering (RFC2827) will cause these packets to be dropped, if the NAT doesn't follow this behavior. So this is why such behavior is necessary. 4. ICMP messages shouldn't cause a binding to be refreshed or deleted. Saikat pointed out that the UDP draft already mentions this, for UDP. This requirement would generalize this behavior for NAT binding tables. Dan pointed out that some protocols may need different behavior. Saikat said the ICMP draft would allow protocol-specific drafts to override its behavior 5. Send ICMP error code 10 if NAT is exhausted of resources. This is a soft error; Saikat pointed out TCPM is modifying the interpretation of this ICMP error, and that this message is only sent at session initiation. Saikat suggested bringing discussion to the list. 6. DF behavior, follows normal router behavior. Question: keep this in the draft, or pull it out. Lars suggested that RFC1812 should be the baseline here - "NATs should look like routers". And that instead of duplicating what RFC1812 says, just point out the differences from RFC1812. 7. TTL behavior, should NAT return 'TTL exceeded' when TTL is exceeded at the NAT itself. end of minutes
- [Ietf-behave] Minutes from Dallas Dan Wing