IETF Logo Mail Archive

Re: [BEHAVE] Comments on nat64-02

Reinaldo Penno <rpenno@juniper.net> Fri, 27 February 2009 19:30 UTC

Return-Path: <rpenno@juniper.net>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51E313A67A3 for <behave@core3.amsl.com>; Fri, 27 Feb 2009 11:30:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.026
X-Spam-Level:
X-Spam-Status: No, score=-5.026 tagged_above=-999 required=5 tests=[AWL=1.573, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJsImwMeYlef for <behave@core3.amsl.com>; Fri, 27 Feb 2009 11:30:27 -0800 (PST)
Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165]) by core3.amsl.com (Postfix) with ESMTP id 175F43A6966 for <behave@ietf.org>; Fri, 27 Feb 2009 11:30:27 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob106.postini.com ([64.18.6.12]) with SMTP ID DSNKSag/apqJYDBWtWVWVRefEW9Wb7HtRm+l@postini.com; Fri, 27 Feb 2009 11:30:50 PST
Received: from p-emfe01-sac.jnpr.net (66.129.254.72) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server id 8.1.340.0; Fri, 27 Feb 2009 11:28:55 -0800
Received: from p-emsmtp03.jnpr.net ([66.129.254.54]) by p-emfe01-sac.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 27 Feb 2009 11:28:55 -0800
Received: from antipi.jnpr.net ([10.10.2.34]) by p-emsmtp03.jnpr.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 27 Feb 2009 11:28:55 -0800
Received: from proton.jnpr.net ([10.10.2.37]) by antipi.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Fri, 27 Feb 2009 14:28:54 -0500
Received: from 172.23.1.92 ([172.23.1.92]) by proton.jnpr.net ([10.10.2.37]) with Microsoft Exchange Server HTTP-DAV ; Fri, 27 Feb 2009 19:28:53 +0000
User-Agent: Microsoft-Entourage/12.15.0.081119
Date: Fri, 27 Feb 2009 11:28:52 -0800
From: Reinaldo Penno <rpenno@juniper.net>
To: behave@ietf.org
Message-ID: <C5CD7EF4.20096%rpenno@juniper.net>
Thread-Topic: [BEHAVE] Comments on nat64-02
Thread-Index: AcmYZeK+9g6kF6Om0U+vq1rJUxoUigAAI8OsACrLVck=
In-Reply-To: <C5CC5FC4.1FE9E%rpenno@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 27 Feb 2009 19:28:54.0024 (UTC) FILETIME=[A055C880:01C99911]
Subject: Re: [BEHAVE] Comments on nat64-02
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2009 19:30:28 -0000

A few more comments as I go through:

7)

" So, NAT64 implements by definition, at least,
   endpoint independent filtering, meaning that in order to enable any
   packet to flow from the IPv4 side to the IPv6 side, , there must have
   been a packet flowing from the IPv6 side to the IPv4 side the created
   the binding information to be used for packets in the other
   direction."

I do not think one follows from the other as stated. Sending a packet from
ipv6 to ipv4 only creates the binding. It does not enable packets to flow
from ipv4 to ipv6. The mapping strategy might be different from the
filtering strategy.

I think (maybe I'm wrong) that the intent on RFC487 in separating mapping
from filtering was to make these orthogonal issues and allow security to
override things if needed.

8)

" So, NAT64 implements by definition, at least,
   endpoint independent filtering, meaning that in order to enable any
   packet to flow from the IPv4 side to the IPv6 side,"

You mention endpoint independent but in section  "1.2.3.  Filtering" what
you seem to describe is address-dependent filtering.


9)

" It is possible to configure the NAT64 to implement more
   stringent security policy, if endpoint independent mapping is
   considered not secure enough"

I think you mean "endpoint independent filtering" as opposed to endpoint
independent mapping.


Thanks,

Reinaldo





On 2/26/09 3:03 PM, "Reinaldo Penno" <rpenno@juniper.net> wrote:

> 
> Hello,
> 
> I've been going through nat64 and have a few comments/questions:
> 
> 1)
> 
> " 2.  H1 sends a packet to H2.  The packet is sent from a source
>        transport address of (Y',y) to a destination transport address of
>        (Pref64:X,x), where y and x are ports chosen by H2."
> 
> How can H2 (the destination) choose the source port of both the packets used
> by the v6 host and the NAT64 on the IPv4 interface? Should it say H1?
> 
> There are also recommendations on RFC4787 about how ports should be mapped
> from internal to external networks. I'm assuming those should apply also to
> NAT64.
> 
>  
> 2)
> 
> "       *  The NAT64 includes (Y',y) as source transport address in the
>           packet and (Pref64:X,x) as destination transport address in
>           the packet.  Note that X is extracted directly from the source
>           IPv4 address of the received IPv4 packet that is being
>           translated."
> 
> Maybe you mean (Y', y) as the destination and (Pref64:X, x) as the source?
> 
> 3)
> "   If a NAT64 filters on its IPv4 interface, then an incoming packet is
>    dropped unless a packet has been recently sent out the interface with
>    a destination IP address equal to the source IP address of the
>    incoming packet."
> 
> Maybe substitute this wording by "address-dependent filtering according to
> RFC4787".
> 
> Below you say " NAT64 filtering is consistent with the recommendations of
> RFC 4787.", but RFC4787 REQ-8 allows filtering depending on what is
> important for the NAT device: security vs. application transparency.
> 
> Is the reason for address-dependent filtering security?
> 
> 
> 4)
> 
> "     NOTE: The transport protocol is always one of TCP or UDP, even if
> the IP packet contains an ICMP message."
> 
> I'm assuming per your TBD this will go away when the draft has ICMP Query
> support? 
> 
> 5)
> "   Assuming it otherwise has sufficient resources, a NAT64 MUST allow
>    the fragments to arrive over a time interval of at least 10 seconds.
>    A NAT64 MAY require that the UDP, TCP, or ICMP header be completely
>    contained within the first fragment."
> 
> Can you cite the reference for using for the time of at least 10 seconds as
> a "MUST"? 
> 
> 6)
> 
> "   1.  If the packet arrived on the IPv4 interface and the NAT64 filters
>        on its IPv4 interface, then the NAT64 checks to see if the
>        incoming packet is allowed according to the address-dependent
>        filtering rule.  To do this, it searches for a session table
>        entry with a source IPv4 address equal to the source IPv4 address
>        in the incoming 5-tuple.  If such an entry is found (there may be
>        more than one), packet processing continues.  Otherwise, the
>        packet is discarded.  If the packet is discarded, then an ICMP
>        message SHOULD be sent to the original sender of the packet,
>        unless the discarded packet is itself an ICMP message.  The ICMP
>        message, if sent, has a type of 3 (Destination Unreachable) and a
>        code of 13 (Communication Administratively Prohibited)."
> 
> In general I find this section and similar ones very implementation
> specific, but regardless I have one comment.
> 
> I think you mean 
> 
> "... searches for a session table
>        entry with a source IPv4 address equal to the destination IPv4
> address in the incoming 5-tuple",
> 
> otherwise they will never match since the source IP address used by the
> NAT64 device will always be different from the source v4 address used by
> external hosts.
> 
> So, you try to match the destination IPv4 address of a possibly unsolicited
> packet with a v4 session that already exists in the session table the
> opposite direction, right? This seems consistent with step 2.
> 
> 7)
> 
> "   3.  The NAT64 sets or resets the timer in the session table entry to
>        maximum session lifetime.  By default, the maximum session
>        lifetime is 5 minutes, but for specific destination ports in the
>        Well-Known port range (0..1023), the NAT64 MAY use a smaller
>        maximum lifetime."
> 
> This seems to be at odds with REQ-5, REQ-5c of RFC4787
> 
> You use the word "maximum", but those requirements use "     c) A default
> value of five minutes or more for the NAT UDP mapping
>          timer is RECOMMENDED."
> 
> In other words 5 minutes or more is rather different than a maximum of 5
> minutes.
> 
> Maybe you can reference REQ-5c here.
> 
> 
> Thanks,
> 
> Reinaldo
> 
> 
> 
> 
> 
> 
> 
> ------ End of Forwarded Message
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email