IETF Logo Mail Archive

Re: [BEHAVE] Comments on nat64-02

marcelo bagnulo braun <marcelo@it.uc3m.es> Sat, 07 March 2009 20:19 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 54FFE28C17F for <behave@core3.amsl.com>; Sat, 7 Mar 2009 12:19:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.316
X-Spam-Level:
X-Spam-Status: No, score=-6.316 tagged_above=-999 required=5 tests=[AWL=0.283, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sITEIk-A+GVd for <behave@core3.amsl.com>; Sat, 7 Mar 2009 12:19:46 -0800 (PST)
Received: from smtp02.uc3m.es (smtp02.uc3m.es [163.117.176.132]) by core3.amsl.com (Postfix) with ESMTP id A87483A6A36 for <behave@ietf.org>; Sat, 7 Mar 2009 12:19:45 -0800 (PST)
Received: from marcelo-bagnulos-macbook-pro.local (81.pool85-53-139.dynamic.orange.es [85.53.139.81]) by smtp02.uc3m.es (Postfix) with ESMTP id B05B965ABD2; Sat, 7 Mar 2009 21:03:16 +0100 (CET)
Message-ID: <49B2D302.7060802@it.uc3m.es>
Date: Sat, 07 Mar 2009 21:03:14 +0100
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Reinaldo Penno <rpenno@juniper.net>
References: <C5CD7EF4.20096%rpenno@juniper.net>
In-Reply-To: <C5CD7EF4.20096%rpenno@juniper.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-5.6.0.1016-16506.002
Cc: behave@ietf.org
Subject: Re: [BEHAVE] Comments on nat64-02
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2009 20:19:47 -0000

Reinaldo Penno escribió:
> A few more comments as I go through:
>
> 7)
>
> " So, NAT64 implements by definition, at least,
>    endpoint independent filtering, meaning that in order to enable any
>    packet to flow from the IPv4 side to the IPv6 side, , there must have
>    been a packet flowing from the IPv6 side to the IPv4 side the created
>    the binding information to be used for packets in the other
>    direction."
>
> I do not think one follows from the other as stated. Sending a packet from
> ipv6 to ipv4 only creates the binding. It does not enable packets to flow
> from ipv4 to ipv6. 
right but that would be address dependent mapping right?
what is being stated is about endpoint independent filtering

> The mapping strategy might be different from the
> filtering strategy.
>
> I think (maybe I'm wrong) that the intent on RFC487 in separating mapping
> from filtering was to make these orthogonal issues and allow security to
> override things if needed.
>   


> 8)
>
> " So, NAT64 implements by definition, at least,
>    endpoint independent filtering, meaning that in order to enable any
>    packet to flow from the IPv4 side to the IPv6 side,"
>
> You mention endpoint independent but in section  "1.2.3.  Filtering" what
> you seem to describe is address-dependent filtering.
>
>   
No, what the text means is that:
by its own nature, the nat64 does endpoint independent filtering (Cause 
there is no mapping to the traffic initiated through the IPv4 interface)
The NAt64 can in adition do address depednent filtering, if security 
considerations deem it necesary

> 9)
>
> " It is possible to configure the NAT64 to implement more
>    stringent security policy, if endpoint independent mapping is
>    considered not secure enough"
>
> I think you mean "endpoint independent filtering" as opposed to endpoint
> independent mapping.
>
>
>   
right

Thanks, marcelo


> Thanks,
>
> Reinaldo
>
>
>
>
>
> On 2/26/09 3:03 PM, "Reinaldo Penno" <rpenno@juniper.net> wrote:
>
>   
>> Hello,
>>
>> I've been going through nat64 and have a few comments/questions:
>>
>> 1)
>>
>> " 2.  H1 sends a packet to H2.  The packet is sent from a source
>>        transport address of (Y',y) to a destination transport address of
>>        (Pref64:X,x), where y and x are ports chosen by H2."
>>
>> How can H2 (the destination) choose the source port of both the packets used
>> by the v6 host and the NAT64 on the IPv4 interface? Should it say H1?
>>
>> There are also recommendations on RFC4787 about how ports should be mapped
>> from internal to external networks. I'm assuming those should apply also to
>> NAT64.
>>
>>  
>> 2)
>>
>> "       *  The NAT64 includes (Y',y) as source transport address in the
>>           packet and (Pref64:X,x) as destination transport address in
>>           the packet.  Note that X is extracted directly from the source
>>           IPv4 address of the received IPv4 packet that is being
>>           translated."
>>
>> Maybe you mean (Y', y) as the destination and (Pref64:X, x) as the source?
>>
>> 3)
>> "   If a NAT64 filters on its IPv4 interface, then an incoming packet is
>>    dropped unless a packet has been recently sent out the interface with
>>    a destination IP address equal to the source IP address of the
>>    incoming packet."
>>
>> Maybe substitute this wording by "address-dependent filtering according to
>> RFC4787".
>>
>> Below you say " NAT64 filtering is consistent with the recommendations of
>> RFC 4787.", but RFC4787 REQ-8 allows filtering depending on what is
>> important for the NAT device: security vs. application transparency.
>>
>> Is the reason for address-dependent filtering security?
>>
>>
>> 4)
>>
>> "     NOTE: The transport protocol is always one of TCP or UDP, even if
>> the IP packet contains an ICMP message."
>>
>> I'm assuming per your TBD this will go away when the draft has ICMP Query
>> support? 
>>
>> 5)
>> "   Assuming it otherwise has sufficient resources, a NAT64 MUST allow
>>    the fragments to arrive over a time interval of at least 10 seconds.
>>    A NAT64 MAY require that the UDP, TCP, or ICMP header be completely
>>    contained within the first fragment."
>>
>> Can you cite the reference for using for the time of at least 10 seconds as
>> a "MUST"? 
>>
>> 6)
>>
>> "   1.  If the packet arrived on the IPv4 interface and the NAT64 filters
>>        on its IPv4 interface, then the NAT64 checks to see if the
>>        incoming packet is allowed according to the address-dependent
>>        filtering rule.  To do this, it searches for a session table
>>        entry with a source IPv4 address equal to the source IPv4 address
>>        in the incoming 5-tuple.  If such an entry is found (there may be
>>        more than one), packet processing continues.  Otherwise, the
>>        packet is discarded.  If the packet is discarded, then an ICMP
>>        message SHOULD be sent to the original sender of the packet,
>>        unless the discarded packet is itself an ICMP message.  The ICMP
>>        message, if sent, has a type of 3 (Destination Unreachable) and a
>>        code of 13 (Communication Administratively Prohibited)."
>>
>> In general I find this section and similar ones very implementation
>> specific, but regardless I have one comment.
>>
>> I think you mean 
>>
>> "... searches for a session table
>>        entry with a source IPv4 address equal to the destination IPv4
>> address in the incoming 5-tuple",
>>
>> otherwise they will never match since the source IP address used by the
>> NAT64 device will always be different from the source v4 address used by
>> external hosts.
>>
>> So, you try to match the destination IPv4 address of a possibly unsolicited
>> packet with a v4 session that already exists in the session table the
>> opposite direction, right? This seems consistent with step 2.
>>
>> 7)
>>
>> "   3.  The NAT64 sets or resets the timer in the session table entry to
>>        maximum session lifetime.  By default, the maximum session
>>        lifetime is 5 minutes, but for specific destination ports in the
>>        Well-Known port range (0..1023), the NAT64 MAY use a smaller
>>        maximum lifetime."
>>
>> This seems to be at odds with REQ-5, REQ-5c of RFC4787
>>
>> You use the word "maximum", but those requirements use "     c) A default
>> value of five minutes or more for the NAT UDP mapping
>>          timer is RECOMMENDED."
>>
>> In other words 5 minutes or more is rather different than a maximum of 5
>> minutes.
>>
>> Maybe you can reference REQ-5c here.
>>
>>
>> Thanks,
>>
>> Reinaldo
>>
>>
>>
>>
>>
>>
>>
>> ------ End of Forwarded Message
>>
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
>>     
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave
>
>

v2.23.0 | Report a Bug | By Email