Re: [BEHAVE] NAPGT request for comments, THANKS!
"Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com> Thu, 18 July 2013 14:31 UTC
Return-Path: <ssenthil@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32AE711E813D; Thu, 18 Jul 2013 07:31:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.998
X-Spam-Level:
X-Spam-Status: No, score=-9.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_63=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBry4PaXllR0; Thu, 18 Jul 2013 07:31:03 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 108C111E80A2; Thu, 18 Jul 2013 07:31:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19930; q=dns/txt; s=iport; t=1374157863; x=1375367463; h=from:to:cc:subject:date:message-id:in-reply-to: mime-version; bh=Tb5rhaWvXCBr3kDIv11vqy3OpwbCKqO1PJj/U/JTU0E=; b=ME1qe+yGwfyUQQj8/VZHF8jO1dl2GF4Gh6z+K6fOszY9ti267cV5pit5 zzL+Rr+oSZdX+wH4MIhM6cB0uZwjt1EiOgcbS19CvwVilq42Ocs73vJgg ZV6kzX+URydE9Fm8J3DfQRwV5W/gMU8POZ2aJrwuHnGya8DGXbGiR7xXI c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsUFAOT651GtJXG9/2dsb2JhbABagkJENVC4B4g8gQ4WdIIkAQEBAQIBAQEBawsFDQEIEQMBAQEBCh0uCxQJCAIEDgUIEYdxBgy2D45DgRsgDQQHBgODBW4DmQaQJIMSgXE5
X-IronPort-AV: E=Sophos; i="4.89,694,1367971200"; d="scan'208,217"; a="236464058"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-8.cisco.com with ESMTP; 18 Jul 2013 14:31:02 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id r6IEV1Y6013738 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 18 Jul 2013 14:31:01 GMT
Received: from xmb-rcd-x15.cisco.com ([169.254.5.94]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.004; Thu, 18 Jul 2013 09:31:01 -0500
From: "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>
To: "meng.wei2@zte.com.cn" <meng.wei2@zte.com.cn>
Thread-Topic: [BEHAVE] NAPGT request for comments, THANKS!
Thread-Index: AQHOg8NsNWewfH9dsEGq6rcfY/Tw+w==
Date: Thu, 18 Jul 2013 14:31:00 +0000
Message-ID: <CB1B483277FEC94E9B58357040EE5D02325D26B4@xmb-rcd-x15.cisco.com>
In-Reply-To: <OFB6524529.8A50AC25-ON48257BAC.00046B40-48257BAC.0007626C@zte.com.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.117.198.132]
Content-Type: multipart/alternative; boundary="_000_CB1B483277FEC94E9B58357040EE5D02325D26B4xmbrcdx15ciscoc_"
MIME-Version: 1.0
Cc: "Reinaldo Penno (repenno)" <repenno@cisco.com>, "behave-bounces@ietf.org" <behave-bounces@ietf.org>, "behave@ietf.org" <behave@ietf.org>, "Dan Wing (dwing)" <dwing@cisco.com>
Subject: Re: [BEHAVE] NAPGT request for comments, THANKS!
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 14:31:08 -0000
From: "meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>" <meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>> Date: Wednesday, July 17, 2013 9:19 PM To: Senthil Sivakumar <ssenthil@cisco.com<mailto:ssenthil@cisco.com>> Cc: "behave@ietf.org<mailto:behave@ietf.org>" <behave@ietf.org<mailto:behave@ietf.org>>, "behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>" <behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>>, "Dan Wing (dwing)" <dwing@cisco.com<mailto:dwing@cisco.com>>, "Reinaldo Penno (repenno)" <repenno@cisco.com<mailto:repenno@cisco.com>> Subject: Re: Re: [BEHAVE] NAPGT request for comments, THANKS! Hi, Please see inline. Thanks, Wei "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com<mailto:ssenthil@cisco.com>> 2013-07-17 21:30:24: > From: "meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>" <meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>> > Date: Wednesday, July 17, 2013 4:08 AM > To: "Reinaldo Penno (repenno)" <repenno@cisco.com<mailto:repenno@cisco.com>> > Cc: "behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>" <behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>>, "behave@ietf.org<mailto:behave@ietf.org>" < > behave@ietf.org<mailto:behave@ietf.org>>, "Dan Wing (dwing)" <dwing@cisco.com<mailto:dwing@cisco.com>> > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! > > > Hi, > I got what the example means. > > 1-1024 is just an example, the range could be any valid value. > > "<1-1024> might be used as NAT, <1025-65535> might be used as > dynamic NAPT", example is as below. > > +----------+ +-----+ +--------+ > + Internet + ----+ NAT +----+ Server + > +----------+ +-----+ +--------+ > > (1) "<1-1024> might be used as NAT" means, > A server behind a NAT. > A message, sent by server, its source port is in 1-1024 (or > 4500-4501 or ...). > The source address will be converted by NAT, the source port remains > the same. > > [Senthil] Sorry, I didn’t read the draft, but the above logic wont > work if there are multiple servers using the same source port. > Also, in some applications (I think rcmd, rshell etc), the source > port doesn’t have to be preserved but must be below 1024. > > Senthil [Wei] I'm presenting the proposal so as to solve this problem : assign port x-y(i.e. 1-1024) to a server(for port preserving function, like NAT), assign the rest of ports to others(for common NAPT). Of course, if there are many servers bebind NAT and whether or not using the same source port, NAT has to need more than one public address. But in this case ,a server will never occupys all ports of a public address, just "x-y". [Senthil] I don’t really understand what is the use case for this? Can you provide a real life use case that would benefit by this? What if the server listens on a port > 1024? Why would the server multiple ports? Why cant a simple port forwarding work? Senthil Wei > > > > (2)<1025-65535> might be used as dynamic NAPT > Meanwhile, many hosts are behind NAT. They attempt to access to > internet. > A message, sent by a host, both its source address and port will > be converted by NAT, and the new port will be in 1025-65535. > > > It will make IP address assignment more effective. > > Cheers, > Wei > > > > behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> 2013-07-17 12:36:30: > > > Hi, > > > > I'm not sure what exactly you man by "might be used as NAT". > > > > 0-1024 might be used for NAPT in a FCFS basis where port > > preservation (this is what we are talking about here, right?) is needed. > > > > As a concrete example, many IPsec Servers still expect to see the > > source port within 0-1024 and preferably a specific source port. If > > that source port is used by the NAT, and more than one IPsec client > > is behind it, there are a some choices available. > > > > - Some funky IPSec ALG (implemented in many products) > > - Give a port above 1024 and hope for the best > > - Deny the connection > > - others.. > > > > Other ports for the same public IP can be used by any other internal > > IP address. This is very common in implementations. > > > > thanks, > > > > From: behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> [behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>] on behalf of > > meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn> [meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn>] > > Sent: Tuesday, July 16, 2013 8:22 PM > > To: Reinaldo Penno (repenno) > > Cc: behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>; behave@ietf.org<mailto:behave@ietf.org>; Dan Wing (dwing) > > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! > > > > > Hi Reinaldo, > > So I suppose <1-1024> might be used as NAT, <1025-65535> might be used as > > dynamic NAPT. > > That is what this view says in the draft. > > > > Cheers, > > Wei > > > > > > behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> 2013-07-17 09:52:34: > > > > > I'm not sure this is a good idea. There are still some protocols > > > around that use ports < 1024 and maintaining the source port after > > > translation in this range is important. > > > > > > From: behave-bounces@ietf.org<mailto:behave-bounces@ietf.org> [behave-bounces@ietf.org<mailto:behave-bounces@ietf.org>] on behalf of > > > Dan Wing (dwing) > > > Sent: Tuesday, July 16, 2013 3:30 PM > > > To: meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn> > > > Cc: behave@ietf.org<mailto:behave@ietf.org> > > > Subject: Re: [BEHAVE] NAPGT request for comments, THANKS! > > > > > > > > On Jul 15, 2013, at 2:43 AM, meng.wei2@zte.com.cn<mailto:meng.wei2@zte.com.cn> wrote: > > > > > > I have submitted a new draft. The objective is to solve a > problem that > > > prevents an external client from accessing an internal server. > > > > > > https://datatracker.ietf.org/doc/draft-meng-behave-napgt/ > > > > > > I expect your comments. Thanks a lot! > > > > > > Draft-meng-behave-napgt appears to describe something that is very > > > similar to the long-standing "DMZ host" configuration available on > > > almost all residential-class NAT devices. I don't think we could > > > standardize that behavior, but perhaps that is possible. > > > > > > Draft-meng-behave-napgt also describes an update to the port > > > assignment behavior described in http://tools.ietf. > > > org/html/rfc5382#section-7.1 (TCP) and http://tools.ietf. > > > org/html/rfc4787#section-4.2.1 (UDP). If I understand Section 4 of > > > draft-meng-behave-napgt properly, it is saying that NATs should not > > > assign ports below 1024 to dynamic connections. This might be > > > something worth considering for draft-ietf-behave-requirements-update? > > > > > > -d > > > _______________________________________________ > > > Behave mailing list > > > Behave@ietf.org<mailto:Behave@ietf.org> > > > https://www.ietf.org/mailman/listinfo/behave > > _______________________________________________ > > Behave mailing list > > Behave@ietf.org<mailto:Behave@ietf.org> > > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Fwd: I-D Action: draft-chen-behave-nat64… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Dan Wing
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Reinaldo Penno (repenno)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Simon Perreault
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… GangChen
- Re: [BEHAVE] Fwd: I-D Action: draft-chen-behave-n… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] NAPGT request for comments, THANKS! meng.wei2
- Re: [BEHAVE] NAPGT request for comments, THANKS! Senthil Sivakumar (ssenthil)