IETF Logo Mail Archive

Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00

Simon Perreault <simon.perreault@viagenie.ca> Mon, 07 December 2009 13:29 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED47C3A67CF for <behave@core3.amsl.com>; Mon, 7 Dec 2009 05:29:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCagXqovaeEM for <behave@core3.amsl.com>; Mon, 7 Dec 2009 05:29:36 -0800 (PST)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by core3.amsl.com (Postfix) with ESMTP id A63553A6828 for <behave@ietf.org>; Mon, 7 Dec 2009 05:29:36 -0800 (PST)
Received: from ringo.viagenie.ca (ringo.viagenie.ca [IPv6:2620:0:230:c000::67]) by jazz.viagenie.ca (Postfix) with ESMTPA id 42CC120E53; Mon, 7 Dec 2009 08:29:26 -0500 (EST)
Message-ID: <4B1D0335.6070601@viagenie.ca>
Date: Mon, 07 Dec 2009 08:29:25 -0500
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12 Thunderbird/3.0b4
MIME-Version: 1.0
To: Reinaldo Penno <rpenno@juniper.net>
References: <C741EB79.B9F1%rpenno@juniper.net>
In-Reply-To: <C741EB79.B9F1%rpenno@juniper.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Cameron Byrne <cb.list6@gmail.com>, "behave@ietf.org" <behave@ietf.org>, 'Xu Xiaohu' <xuxh@huawei.com>, Dan Wing <dwing@cisco.com>
Subject: Re: [BEHAVE] proprietary implementation v.s standardisedprotocols//re: draft-xu-behave-nat-state-sync-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2009 13:29:38 -0000

Reinaldo Penno wrote, on 2009-12-07 02:15:
> On 12/5/09 3:50 AM, "Simon Perreault" <simon.perreault@viagenie.ca> wrote:
>> On 12/05/2009 03:27 AM, Reinaldo Penno wrote:
>>> If a certain mapping on NAT64-A does not send ICMPv4 packets back
>>> for unsolicited sessions and another mapping does, this behavior must remain
>>> the same on the fail-over box.
>>
>> This is arguable. IMHO, this behaviour could be different without
>> negative impact in many situations.
> 
> This is a vague statement. Can you please elaborate which situations are
> these without negative impact?

The situation: Two NATs, state synced, one sending ICMP errors and the other not.

To elaborate further: Suppose I'm talking about a small/medium enterprise with
the two NATs in sync sitting at the border of the Internet and their LAN. There
are people working in the LAN, with, say, web browsers. They absolutely don't
care about the difference in ICMP behaviours.

> In my experience there are usually negative impacts ranging from from legal
> requirements, DDoS & security and last but not least performance.

Sure, I don't disagree. But there are tons of other cases where it doesn't matter.

So we could want the sync protocol to negotiate or not these differences in
behaviour.

>> The state sync protocol is only concerned with stuff that varies over
>> time, i.e. bindings and sessions. That's it.
> 
> Can you explain what exactly and how is your definition of 'vary over time'?
> When a NAT binding is created with certain parameters, do you foresee the
> same NAT binding varying over time before the session is over?

Example: You power up the NAT and put it in service. It has no
bindings/sessions. As packets traverse it, bindings and sessions get created,
deleted, etc. So the binding and session tables vary over time. Also known as
"dynamic".

The behaviours such as "sends ICMP errors" do not vary. They are always the same
(or at least, remain constant during the lifetime of a NAT state sync session).
Therefore the state sync protocol has nothing to do with them. It may need to be
restarted to renegotiate their values if they change, but that's it. Also known
as "static".

> I certainly foresee that the same private address can get a different
> bindings when it goes to different destinations over time. But then it can
> also get a different ICMP handling, filtering, logging and timer behavior.
> Therefore this state also needs to be synched with each new different
> binding. 

No. This is not dynamic state, it's static configuration. The static
configuration needs to be the same, or could also be negotiated at the
beginning. It is completely separate from state sync and does not run under the
same constraints. For example, the state sync protocol needs to be very
efficient. But to negotiate static configuration this constraint is relaxed.

If you want to do this "at random" then yes it would be dynamic and need to be
synchronized. But I suggest this be out of scope.

>> "NAT operational complexity is high" is a blanket statement. For
>> example, nowadays most everyone has a NAT at home without even knowing it.
> 
> Right, one vendor, one box, one interface in-out, box wide knobs for most
> NAT behavior. Is that how you see service providers NAT boxes?

I suppose that the correct answer is "no."

Note that a NAT state sync protocol would be useful to much more than just
service providers.

> Because that would explain where you are coming from in relation to NAT
> state, filtering, etc.

I'm feeling that this discussion is becoming less constructive.

> PS: One thing NAT home devices have that is very useful is UPnP and NAT-PMP
> (but that is being implemented in some large NAT boxes). Thinking about that
> makes me wonder if the protocol will synch dynamic NAT port forwarding state
> established through UPNP and NAT-PMP across boxes.

Sure, why not? It's just a matter of propagating changes to the binding/session
tables.


To recap our discussion:

- An eventual state sync protocol would need an init phase where static
configuration and behaviours would be negotiated.

- The level to which the static stuff needs to be similar (or made similar) will
differ in different cases.

- After the negotiation is successful, only dynamic state updates will be
propagated.

Is this right? Does anything else need to be said at this point?

Thanks,
Simon
-- 
DNS64 open-source   --> http://ecdysis.viagenie.ca
STUN/TURN server    --> http://numb.viagenie.ca
vCard 4.0           --> http://www.vcarddav.org

v2.23.0 | Report a Bug | By Email