IETF Logo Mail Archive

Re: [BEHAVE] Scalability of endpoint independent mapping

"Dan Wing" <dwing@cisco.com> Wed, 14 May 2008 17:29 UTC

Return-Path: <behave-bounces@ietf.org>
X-Original-To: behave-archive@optimus.ietf.org
Delivered-To: ietfarch-behave-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE05F3A686E; Wed, 14 May 2008 10:29:51 -0700 (PDT)
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BAE603A6819 for <behave@core3.amsl.com>; Wed, 14 May 2008 10:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.546
X-Spam-Level:
X-Spam-Status: No, score=-6.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbQKHyqTUWeR for <behave@core3.amsl.com>; Wed, 14 May 2008 10:29:47 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id B20A63A6813 for <behave@ietf.org>; Wed, 14 May 2008 10:29:47 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,487,1204531200"; d="scan'208";a="98687755"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 14 May 2008 10:29:09 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m4EHT9Z0031029; Wed, 14 May 2008 10:29:09 -0700
Received: from dwingwxp01 ([10.32.240.195]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m4EHT9Sb008943; Wed, 14 May 2008 17:29:09 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Iljitsch van Beijnum' <iljitsch@gmail.com>
References: <8EC5CF03-6800-464B-8424-A196E1FA0901@muada.com> <000201c8b3b0$d74ccdd0$c3f0200a@cisco.com> <4827FA33.8020201@it.uc3m.es> <200805121249.11441.remi.denis-courmont@nokia.com> <48281927.4020708@it.uc3m.es><48286CFD.1080204@free.fr> <48287AE5.5010005@sipeerior.com><482882B7.2030806@free.fr><145B7DFA-E397-4184-8FA6-3C255078509F@muada.com><48289C15.3000102@free.fr> <4828A33E.1080700@sipeerior.com><4828ABBE.9010201@free.fr> <4828AE1B.9040901@sipeerior.com> <03C87756-203A-496A-A348-1D0FE15F60F6@gmail.com> <015801c8b50d$984b8eb0$c3f0200a@cisco.com> <8EFD78D3-46EC-4BA5-9F9A-B6F471B9C01F@gmail.com> <018601c8b511$0a83a410$c3f0200a@cisco.com> <2F594053-210D-49D6-A9C7-5245826854A1@gmail.com> <04fe01c8b531$5c086c60$c3f0200a@cisco.com> <ABFE5321-6872-4B67-ADDE-7380F8DE0AD9@gmail.com> <037601c8b5e0$4577f3d0$c3f0200a@cisco.com> <0AC1FB94-BF34-427E-8FA5-5222C67E2067@gmail.com>
Date: Wed, 14 May 2008 10:29:09 -0700
Message-ID: <044701c8b5e8$04dbe860$c3f0200a@cisco.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <0AC1FB94-BF34-427E-8FA5-5222C67E2067@gmail.com>
Thread-Index: Aci15x0UXu+PxHZVTxG+t52RgJOoUQAAEqFA
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3577; t=1210786149; x=1211650149; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[BEHAVE]=20Scalability=20of=20endpoint= 20independent=20mapping |Sender:=20; bh=JQAt52lYEJbmaZezVastYQIDXE8LusQkVdMnjo/Llzo=; b=FxeZH4XL0yT+0QRkJW5b2SGzP8ElWXKS9dSyfDYjCspX9b88pjLl6ua8kQ PpHmvsBXGjaDWdUSyTI+UDArtqBa32WNs16Cv0r3+0XOzPIrPE+ECP3PENfj 599mQqgTf0;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: behave@ietf.org, 'Philip Matthews' <philip_matthews@magma.ca>
Subject: Re: [BEHAVE] Scalability of endpoint independent mapping
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: behave-bounces@ietf.org
Errors-To: behave-bounces@ietf.org

 

> -----Original Message-----
> From: Iljitsch van Beijnum [mailto:iljitsch@gmail.com] 
> Sent: Wednesday, May 14, 2008 10:23 AM
> To: Dan Wing
> Cc: 'Philip Matthews'; behave@ietf.org
> Subject: Re: [BEHAVE] Scalability of endpoint independent mapping
> 
> On 14 mei 2008, at 18:33, Dan Wing wrote:
> 
> >> If an application wants to make use of endpoint independent mapping
> >> behavior by the NAT, wouldn't its first packets be towards 
> a STUN(T)
> >> server? If we can detect this, providing endpoint independent
> >> behavior where it's needed and using endpoint dependent mappings  
> >> everywhere
> >> else is easy.
> 
> > Someone else (Rémi Després, I believe) had proposed doing that using
> > port numbers.  Doing it with port numbers would also be the 
> first time
> > that TCP behavior is different for different port numbers (the port
> > 1024 restriction does not change the behavior of TCP itself).  But
> > I see (below) that you are considering DPI rather than TCP port
> > numbers.
> 
> I was.
> 
> If STUN always uses port 3478 then that's obviously a good way to  
> detect sessions towards a STUN server.
> 
> So if a host first contacts some random destination using 
> source port  
> 8000 and destination 3478, we know it's talking to a STUN 
> server so we  
> need to make the mapping for source port 8000 address 
> independent. But  
> if a session goes towards port 80 or what have you and the 
> source port  
> isn't used in recent history by that host, we know the host doesn't  
> require endpoint independent mapping.
> 
> > Another idea floating in my head is to use STUN-over-TCP to the
> > NAT64's public IP address itself, which is trivial for the NAT64
> > to notice.
> 
> Yes, but how do hosts know to only use the NAT64's address as their  
> STUN server?
> Don't STUN-aware applications use STUN servers that are 
> preconfigured by the application?

Yes, so you could configure that application so its STUN server is
the public IP address of the NAT64 box.  Or the application could
talk to any STUN server on the Internet and learn the IP address of
its NAT64 box (which is the mechanism described in 
draft-wing-behave-nat-control-stun-usage).

> >> For TCP, another option would be a TCP option in the SYN from
> >> the host to the STUNT server, or in the SYN/ACK from the STUNT
> >> server back to the host, this is probably easier to do than deep
> >> packet inspection to determine whether a random TCP session is
> >> used for STUNT.
> 
> > If the NAT64-aware box at the customer premise could make 
> > the decision
> > (somehow; I'm not sure how it could do that yet), the 
> > NAT64-aware box
> > could communicate the decision to the ISP's big NAT64-box-in-the-sky
> > using a simple-to-see trigger like that.
> 
> Right. Maybe add a router alert for good measure.  :-)

heh.

> > Unfortunately the application and host OS (Windows, OSX) 
> > couldn't set
> > that TCP bit without changes to the TCP API and the TCP stack itself
> > - which means an OS upgrade or, at minimum (if the vendors are
> > motivated) an OS patch.
> 
> Right, that's why I was thinking the option could also flow in the  
> direction from the STUN server to the NAT. Presumably, a STUN server  
> can more easily be set up to include such an option.
> 
> But if we can simply look for port 3478 that's a lot easier.

I am worried that could tie NAT64 too much to STUN.

-d

_______________________________________________
Behave mailing list
Behave@ietf.org
https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email