Re: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis

"Reinaldo Penno (repenno)" <> Mon, 17 June 2013 13:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BC16721F8FF8 for <>; Mon, 17 Jun 2013 06:26:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ErFMdciEXV1o for <>; Mon, 17 Jun 2013 06:26:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8146421F8E8C for <>; Mon, 17 Jun 2013 06:26:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=13678; q=dns/txt; s=iport; t=1371475612; x=1372685212; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=ly8nThCbs48yY+goofkcfsD8RbnWr3X28ixREV/WMZE=; b=PDRAtmBrcgwlDB39c+gavTJHcTpE14JselmuoO30Ry4j2K378kG2PT7h uodONgg8mt/moCwRQiS24SxdSSLNMLWeDRRc44n1nsjU6NLgIBpuxng89 X7eEr9O/YZfAsz/pdfE4cQHXWit3Ex/oOFNEBiebI9KKE1Sy3ZpuqnB+o w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AncFAAcOv1GtJV2c/2dsb2JhbABagkVEMUm2LIg8fRZ0gh8EAQEBBAEBAWsdAQgRAwECCx0uCxQJCAIEARIIAYVAB4IgHgy4Zo4VgQEgDQuCf2EDkzOFN5Aagw+BcTc
X-IronPort-AV: E=Sophos; i="4.87,881,1363132800"; d="scan'208,217"; a="223696117"
Received: from ([]) by with ESMTP; 17 Jun 2013 13:26:52 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r5HDQp9J023414 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 17 Jun 2013 13:26:51 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Mon, 17 Jun 2013 08:26:51 -0500
From: "Reinaldo Penno (repenno)" <>
To: "" <>, "" <>
Thread-Topic: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis
Thread-Index: AQHOase+18zSZk4grEaE3Z51QZKhl5k6CJmA
Date: Mon, 17 Jun 2013 13:26:50 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_45A697A8FFD7CF48BCF2BE7E106F0604090A89E4xmbrcdx04ciscoc_"
MIME-Version: 1.0
Subject: Re: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Jun 2013 13:26:57 -0000

Hi Ivan,

Thanks for the detailed review of the draft. You might want to reference the newer version at

I'm going through your comments and will start a discussion shortly.



From: ivan c <<>>
Organization: cacaoweb
Reply-To: <<>>
Date: Sun, 16 Jun 2013 21:14:16 +0200
To: <<>>
Subject: [BEHAVE] review of draft-penno-behave-rfc4787-5382-5508-bis


This is my review of draft-penno-behave-rfc4787-5382-5508-bis<>ml>, which is indeed a step in the right direction and corrects omissions and unspecified behaviors left by previous documents. I support its adoption as a working group document.

* Rewrite timestamp and sequence number values at NAT

Requiring NATs to rewrite timestamps and ISNs seems overkill. Generally, mangling with the TCP protocol header other than by rewriting the source endpoint should not be done by NATs.
On the other hand, improving the current situation regarding the TIME_WAIT state by carefully designed filtering rules without altering the TCP header seems acceptable.

* 4. Port overlapping behavior

This is becoming a pressing issue due to increase deployment of CGNs for IPv4 worldwide.
As far as I know, the traditional term to describe this behavior is "port overloading". The term overlapping refers to when two sets have a non empty intersection (they are said to be "overlapping" sets). Overloading is the correct term and was previously used in RFC5382 and RFC4787.
Port overloading is problematic for UDP, as P2P applications generally multiplex several UDP communications over the same socket. The probability that two internal peers communicate to the same remote endpoint can be non-negligeable, depending on the number of UDP communications and characteristics intrinsic to the p2p application. See Birthday Paradox.
For TCP, this problem does not arise nrealy as much as there is a one-to-one mapping between sockets and TCP communications (POSIX does not allow to bind multiple sockets to the same local endpoint for outbound connections). Thus the probability for conflict is much lower.

[RFC5382] REQ-1 indeed requires EIM, but it is important to note that the EIM behavior is required by applications that rely on a POSIX "hack", that is the set up of the SO_REUSEADDR option on the socket to bind two successive outbound connections on the same local endpoint. This hack is controversial and thus [RFC5382] REQ-1 is subject to controversy, for the following reasons: SO_REUSEADDR behavior is left unspecified by POSIX. SO_REUSEADDR is generally implemented by OSes to bypass the TIME_WAIT state for network servers. It violates TCP quiet time, TIME_WAIT and can lead to data corruption. It should generally only be used by listening servers, not client making outbound connections. Its use is discouraged in production for listening servers. RFC 6528.

A correct way to achieve TCP port prediction (which is what [RFC5382] REQ-1 is really about without saying it) without relying on POSIX hacks is to require the NAT to be port-preserving. Port prediction is straightforward in the case of port preservation. It also works nicely with port overloading, and allows p2p applications to work without the need of a third party public server for each TCP communication instantiation. Thus it allows NAT traversal for fully decentralized p2p applications. Most NATs in the wild implement TCP port preservation for this reason.

* End of page 8

The external references provided point to a website written only in japanese. It would be nice to provide a pointer to the english version of these web pages.

* 6. EIF Security

Indeed, EIF poses security concerns. At the very least, use of Address-Dependent Filtering should be recommended. Applications requiring EIF to function are clearly badly designed and it is not the role of an RFC to support incorrect designs.

* 7. EIF Protocol Independence

Do you have any reasonable use for this? In other words, a situation where to punch a UDP hole in a NAT, you want to send a TCP SYN first? (If that's the case, why not sending a UDP packet instead of a TCP SYN...?).
If not, it would be cleaner in my opinion to leave this requirement out. If yes, it would be nicer to describe the real-world use, as i'm sure most of us are not familiar with it.

* 8. EIF Mapping Refresh

(This really only applies to UDP. For TCP, NATs simply keep the mapping as long as the connection is considered on from TCP point of view.)

Agreed, [RFC4787]: REQ-6 is too liberal regarding mapping refreshes. It would be better to recommend Address-Dependent Filtering and Address-Dependent mapping refreshes.

  8.1 Agreed, this point has definitely been overlooked too by RFC5382

* 9. EIM Protocol Independence


* 11. Port Randomization

Agreed, although it doesn't alleviate the fact the port randomization should be implemented by the client OS in the first place. The NAT role is not to harden TCP security.
And as you note, this cannot be implemented if the NAT is TCP port preserving, which makes up the majority of NATs in the wild.


Ivan C.

_______________________________________________ Behave mailing list<>