Re: [BEHAVE] NAPGT request for comments, THANKS!
"Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com> Wed, 17 July 2013 13:30 UTC
Return-Path: <ssenthil@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0776421F9EA7; Wed, 17 Jul 2013 06:30:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6GRJyiApTMZ; Wed, 17 Jul 2013 06:30:26 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id D26ED21F9EF2; Wed, 17 Jul 2013 06:30:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16015; q=dns/txt; s=iport; t=1374067826; x=1375277426; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=XBLY5ryJdPIHhZoVdxPITZxasUQX3p+HgX8//pno/AY=; b=DqfcelWqE5CzjI02G7XOTDNJrAXLzro6qukaMqXPPWvQ91qlYBOkE9ZY LMNRjA9ogWdD6s7f6twrfcHqIp0WmlDSWcXhV5k+VR5UpK5iqp61t9uMC iDb71YcJ+yaKD1mv/1Q4rSxHnazETj6rEg2sGWv2AVD5FX6h4kVAZLigP g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqoFAImb5lGtJXHA/2dsb2JhbABagkJENE+6FYg9gREWdIIjAQEBAwEBAQFrCwUNAQgRAwEBAQEKHS4LFAkIAgQBDQUIiAIGDLV7jiKBGyANBAcGA4MDbgOZBZAkgxKBcTc
X-IronPort-AV: E=Sophos; i="4.89,684,1367971200"; d="scan'208,217"; a="235947328"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-3.cisco.com with ESMTP; 17 Jul 2013 13:30:25 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r6HDUOBv011821 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 17 Jul 2013 13:30:24 GMT
Received: from xmb-rcd-x15.cisco.com ([169.254.5.94]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.02.0318.004; Wed, 17 Jul 2013 08:30:24 -0500
From: "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>
To: "meng.wei2@zte.com.cn" <meng.wei2@zte.com.cn>, "Reinaldo Penno (repenno)" <repenno@cisco.com>
Thread-Topic: [BEHAVE] NAPGT request for comments, THANKS!
Thread-Index: AQHOgT/xKd1JQDPEfEGuYnya6wJotJloOY+AgAA4XwCAABkrgIAAFKIAgAA7GgCAABcBAA==
Date: Wed, 17 Jul 2013 13:30:24 +0000
Message-ID: <CB1B483277FEC94E9B58357040EE5D02325CF41E@xmb-rcd-x15.cisco.com>
In-Reply-To: <OF50A98C07.6E747C89-ON48257BAB.00257C5C-48257BAB.002CC34E@zte.com.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.117.198.132]
Content-Type: multipart/alternative; boundary="_000_CB1B483277FEC94E9B58357040EE5D02325CF41Exmbrcdx15ciscoc_"
MIME-Version: 1.0
Cc: "behave@ietf.org" <behave@ietf.org>, "behave-bounces@ietf.org" <behave-bounces@ietf.org>, "Dan Wing (dwing)" <dwing@cisco.com>
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 13:30:31 -0000
From: "meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>" <meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>>
Date: Wednesday, July 17, 2013 4:08 AM
To: "Reinaldo Penno (repenno)" <repenno@cisco.com<mailto:repenno@cisco.com>>
Cc: "behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>" <behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>>, "behave@ietf.org<mailto:behave@ietf.org>" <behave@ietf.org<mailto:behave@ietf.org>>, "Dan Wing (dwing)" <dwing@cisco.com<mailto:dwing@cisco.com>>
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
Hi,
I got what the example means.
1-1024 is just an example, the range could be any valid value.
"<1-1024> might be used as NAT, <1025-65535> might be used as
dynamic NAPT", example is as below.
+----------+ +-----+ +--------+
+ Internet + ----+ NAT +----+ Server +
+----------+ +-----+ +--------+
(1) "<1-1024> might be used as NAT" means,
A server behind a NAT.
A message, sent by server, its source port is in 1-1024 (or 4500-4501 or ...).
The source address will be converted by NAT, the source port remains
the same.
[Senthil] Sorry, I didn’t read the draft, but the above logic wont work if there are multiple servers using the same source port.
Also, in some applications (I think rcmd, rshell etc), the source port doesn’t have to be preserved but must be below 1024.
Senthil
(2)<1025-65535> might be used as dynamic NAPT
Meanwhile, many hosts are behind NAT. They attempt to access to
internet.
A message, sent by a host, both its source address and port will
be converted by NAT, and the new port will be in 1025-65535.
It will make IP address assignment more effective.
Cheers,
Wei
behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> 2013-07-17 12:36:30:
> Hi,
>
> I'm not sure what exactly you man by "might be used as NAT".
>
> 0-1024 might be used for NAPT in a FCFS basis where port
> preservation (this is what we are talking about here, right?) is needed.
>
> As a concrete example, many IPsec Servers still expect to see the
> source port within 0-1024 and preferably a specific source port. If
> that source port is used by the NAT, and more than one IPsec client
> is behind it, there are a some choices available.
>
> - Some funky IPSec ALG (implemented in many products)
> - Give a port above 1024 and hope for the best
> - Deny the connection
> - others..
>
> Other ports for the same public IP can be used by any other internal
> IP address. This is very common in implementations.
>
> thanks,
>
> From: behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> [behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>] on behalf of
> meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn> [meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>]
> Sent: Tuesday, July 16, 2013 8:22 PM
> To: Reinaldo Penno (repenno)
> Cc: behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>; behave@ietf.org<mailto:behave@ietf.org>; Dan Wing (dwing)
> Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
>
> Hi Reinaldo,
> So I suppose <1-1024> might be used as NAT, <1025-65535> might be used as
> dynamic NAPT.
> That is what this view says in the draft.
>
> Cheers,
> Wei
>
>
> behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> 2013-07-17 09:52:34:
>
> > I'm not sure this is a good idea. There are still some protocols
> > around that use ports < 1024 and maintaining the source port after
> > translation in this range is important.
> >
> > From: behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> [behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>] on behalf of
> > Dan Wing (dwing)
> > Sent: Tuesday, July 16, 2013 3:30 PM
> > To: meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>
> > Cc: behave@ietf.org<mailto:behave@ietf.org>
> > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
>
> >
> > On Jul 15, 2013, at 2:43 AM, meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn> wrote:
> >
> > I have submitted a new draft. The objective is to solve a problem that
> > prevents an external client from accessing an internal server.
> >
> > https://datatracker.ietf.org/doc/draft-meng-behave-napgt/
> >
> > I expect your comments. Thanks a lot!
> >
> > Draft-meng-behave-napgt appears to describe something that is very
> > similar to the long-standing "DMZ host" configuration available on
> > almost all residential-class NAT devices. I don't think we could
> > standardize that behavior, but perhaps that is possible.
> >
> > Draft-meng-behave-napgt also describes an update to the port
> > assignment behavior described in http://tools.ietf.
> > org/html/rfc5382#section-7.1 (TCP) and http://tools.ietf.
> > org/html/rfc4787#section-4.2.1 (UDP). If I understand Section 4 of
> > draft-meng-behave-napgt properly, it is saying that NATs should not
> > assign ports below 1024 to dynamic connections. This might be
> > something worth considering for draft-ietf-behave-requirements-update?
> >
> > -d
> > _______________________________________________
> > Behave mailing list
> > Behave@ietf.org<mailto:Behave@ietf.org>
> > https://www.ietf.org/mailman/listinfo/behave
> _______________________________________________
> Behave mailing list
> Behave@ietf.org<mailto:Behave@ietf.org>
> https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Fwd: I-D Action: draft-chen-behave-nat64… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Dan Wing
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Simon Perreault
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)