Re: [BEHAVE] NAPGT request for comments, THANKS!
"Reinaldo Penno (repenno)" <repenno@cisco.com> Wed, 17 July 2013 04:36 UTC
Return-Path: <repenno@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D766621F9B0E; Tue, 16 Jul 2013 21:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htSVWON6imT0; Tue, 16 Jul 2013 21:36:31 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 643CE21F9294; Tue, 16 Jul 2013 21:36:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8274; q=dns/txt; s=iport; t=1374035791; x=1375245391; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=AI+xVVlrTOz3RgdlgWOA4lkPtpFG0qBRyye0lAQwpRM=; b=j2GMux5Yf2iElSoZVEMiCGOsVrJ7zIURh3PawA+R+GjoPfTk9xlPWa21 VJKdWPKiumVTweQu+V9GqDhz8XomApTRNEQTchVnp8V3rzqQfHBNwNrp2 tDHHj+oPNY+JRC4YtLmRAsHkm8z4XkClpLFvfz/5qJKZcpX/mvBbaVPPa 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkwFAHcd5lGtJXHA/2dsb2JhbABagkJENE/CM4EOFnSCIwEBAQMBAQEBawsFCwIBCBEEAQEBCiQnCx0IAgQOBQiIAgYMtUoEjiKBGzEHgwxuA4hvoDqDEoFxNw
X-IronPort-AV: E=Sophos; i="4.89,682,1367971200"; d="scan'208,217"; a="235564650"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-1.cisco.com with ESMTP; 17 Jul 2013 04:36:31 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r6H4aUP4032247 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 17 Jul 2013 04:36:30 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.56]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.02.0318.004; Tue, 16 Jul 2013 23:36:30 -0500
From: "Reinaldo Penno (repenno)" <repenno@cisco.com>
To: "meng.wei2@zte.com.cn" <meng.wei2@zte.com.cn>
Thread-Topic: [BEHAVE] NAPGT request for comments, THANKS!
Thread-Index: AQHOgnQzZ6Pf4Kbi5E6IWVEkv2NcnZloG0QVgABtbYD//7zUxA==
Date: Wed, 17 Jul 2013 04:36:30 +0000
Message-ID: <45A697A8FFD7CF48BCF2BE7E106F0604090C7C7E@xmb-rcd-x04.cisco.com>
References: <45A697A8FFD7CF48BCF2BE7E106F0604090C7C43@xmb-rcd-x04.cisco.com>, <OF4C144215.B48DC7CC-ON48257BAB.0011BD2C-48257BAB.0012A25F@zte.com.cn>
In-Reply-To: <OF4C144215.B48DC7CC-ON48257BAB.0011BD2C-48257BAB.0012A25F@zte.com.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.242.96]
Content-Type: multipart/alternative; boundary="_000_45A697A8FFD7CF48BCF2BE7E106F0604090C7C7Exmbrcdx04ciscoc_"
MIME-Version: 1.0
Cc: "behave@ietf.org" <behave@ietf.org>, "behave-bounces@ietf.org" <behave-bounces@ietf.org>, "Dan Wing (dwing)" <dwing@cisco.com>
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 04:36:37 -0000
Hi, I'm not sure what exactly you man by "might be used as NAT". 0-1024 might be used for NAPT in a FCFS basis where port preservation (this is what we are talking about here, right?) is needed. As a concrete example, many IPsec Servers still expect to see the source port within 0-1024 and preferably a specific source port. If that source port is used by the NAT, and more than one IPsec client is behind it, there are a some choices available. - Some funky IPSec ALG (implemented in many products) - Give a port above 1024 and hope for the best - Deny the connection - others.. Other ports for the same public IP can be used by any other internal IP address. This is very common in implementations. thanks, ________________________________ From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of meng.wei2@zte.com.cn [meng.wei2@zte.com.cn] Sent: Tuesday, July 16, 2013 8:22 PM To: Reinaldo Penno (repenno) Cc: behave-bounces@ietf.org; behave@ietf.org; Dan Wing (dwing) Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! Hi Reinaldo, So I suppose <1-1024> might be used as NAT, <1025-65535> might be used as dynamic NAPT. That is what this view says in the draft. Cheers, Wei behave-bounces@ietf.org 2013-07-17 09:52:34: > I'm not sure this is a good idea. There are still some protocols > around that use ports < 1024 and maintaining the source port after > translation in this range is important. > > From: behave-bounces@ietf.org [behave-bounces@ietf.org] on behalf of > Dan Wing (dwing) > Sent: Tuesday, July 16, 2013 3:30 PM > To: meng.wei2@zte.com.cn > Cc: behave@ietf.org > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! > > On Jul 15, 2013, at 2:43 AM, meng.wei2@zte.com.cn wrote: > > I have submitted a new draft. The objective is to solve a problem that > prevents an external client from accessing an internal server. > > https://datatracker.ietf.org/doc/draft-meng-behave-napgt/ > > I expect your comments. Thanks a lot! > > Draft-meng-behave-napgt appears to describe something that is very > similar to the long-standing "DMZ host" configuration available on > almost all residential-class NAT devices. I don't think we could > standardize that behavior, but perhaps that is possible. > > Draft-meng-behave-napgt also describes an update to the port > assignment behavior described in http://tools.ietf. > org/html/rfc5382#section-7.1 (TCP) and http://tools.ietf. > org/html/rfc4787#section-4.2.1 (UDP). If I understand Section 4 of > draft-meng-behave-napgt properly, it is saying that NATs should not > assign ports below 1024 to dynamic connections. This might be > something worth considering for draft-ietf-behave-requirements-update? > > -d > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Fwd: I-D Action: draft-chen-behave-nat64… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Dan Wing
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Simon Perreault
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)