IETF Logo Mail Archive

Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00

Reinaldo Penno <rpenno@juniper.net> Mon, 07 December 2009 07:15 UTC

Return-Path: <rpenno@juniper.net>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 754753A6886 for <behave@core3.amsl.com>; Sun, 6 Dec 2009 23:15:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMjHIHXKPR7o for <behave@core3.amsl.com>; Sun, 6 Dec 2009 23:15:36 -0800 (PST)
Received: from exprod7og115.obsmtp.com (exprod7og115.obsmtp.com [64.18.2.217]) by core3.amsl.com (Postfix) with ESMTP id A5AE63A6863 for <behave@ietf.org>; Sun, 6 Dec 2009 23:15:33 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob115.postini.com ([64.18.6.12]) with SMTP ID DSNKSxyrh8+KtL7LmUMPxDpwXmzKFcRwp0Uy@postini.com; Sun, 06 Dec 2009 23:15:26 PST
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.1.393.1; Sun, 6 Dec 2009 23:15:09 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Mon, 7 Dec 2009 02:15:08 -0500
From: Reinaldo Penno <rpenno@juniper.net>
To: Simon Perreault <simon.perreault@viagenie.ca>
Date: Mon, 7 Dec 2009 02:15:05 -0500
Thread-Topic: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00
Thread-Index: Acp1oSpPek+deTTTTW2Mbpm7+srzFwBa9WV8
Message-ID: <C741EB79.B9F1%rpenno@juniper.net>
In-Reply-To: <4B1A490C.7090104@viagenie.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-Entourage/13.0.0.090609
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: 'Xu, Cameron Byrne <cb.list6@gmail.com>, "behave@ietf.org" <behave@ietf.org>, Xiaohu' <xuxh@huawei.com>, Dan Wing <dwing@cisco.com>
Subject: Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2009 07:15:39 -0000

On 12/5/09 3:50 AM, "Simon Perreault" <simon.perreault@viagenie.ca> wrote:

> On 12/05/2009 03:27 AM, Reinaldo Penno wrote:
>> If a certain mapping on NAT64-A does not send ICMPv4 packets back
>> for unsolicited sessions and another mapping does, this behavior must remain
>> the same on the fail-over box.
> 
> This is arguable. IMHO, this behaviour could be different without
> negative impact in many situations.

This is a vague statement. Can you please elaborate which situations are
these without negative impact?

In my experience there are usually negative impacts ranging from from legal
requirements, DDoS & security and last but not least performance.

> 
>> NAT state is the mapping state + ICMP behavior (discussed above) + filtering
>> behavior + timer settings (discussed below for ICMP) + log behavior
>> (yes/no/format) + others not discussed. Each of these can be different for
>> different NAT entries.
> 
> We have different definitions of state it seems.
> 
> ICMP behaviour, filtering behaviour, timer settings, log behaviour, and
> others do not vary over time. (Or we could impose the constraint that
> the state sync connection be renegotiated when they do vary.)
> 
> The state sync protocol is only concerned with stuff that varies over
> time, i.e. bindings and sessions. That's it.

Can you explain what exactly and how is your definition of 'vary over time'?
When a NAT binding is created with certain parameters, do you foresee the
same NAT binding varying over time before the session is over?

I certainly foresee that the same private address can get a different
bindings when it goes to different destinations over time. But then it can
also get a different ICMP handling, filtering, logging and timer behavior.
Therefore this state also needs to be synched with each new different
binding. 

> 
>> Some people made the opposite case and it brings to some of the basics. NAT
>> operational complexity is high and therefore brings special requirements to
>> the table. Based on your statement it seems you think there are similar
>> cases.
> 
> "NAT operational complexity is high" is a blanket statement. For
> example, nowadays most everyone has a NAT at home without even knowing it.

Right, one vendor, one box, one interface in-out, box wide knobs for most
NAT behavior. Is that how you see service providers NAT boxes?

Because that would explain where you are coming from in relation to NAT
state, filtering, etc.

Thanks,

Reinaldo

PS: One thing NAT home devices have that is very useful is UPnP and NAT-PMP
(but that is being implemented in some large NAT boxes). Thinking about that
makes me wonder if the protocol will synch dynamic NAT port forwarding state
established through UPNP and NAT-PMP across boxes.

v2.8.7 | Report a Bug | By Email