IETF Logo Mail Archive

Re: [BEHAVE] [v6ops] protocols without need for ALG ?

Owen DeLong <owen@delong.com> Thu, 30 July 2015 21:07 UTC

Return-Path: <owen@delong.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 573321A90A5; Thu, 30 Jul 2015 14:07:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.111
X-Spam-Level:
X-Spam-Status: No, score=-1.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37g7OXSTWeQt; Thu, 30 Jul 2015 14:07:56 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 02F5C1AC3BB; Thu, 30 Jul 2015 14:07:27 -0700 (PDT)
Received: from delong-dhcp229.delong.com (delong-dhcp29 [192.159.10.229]) (authenticated bits=0) by owen.delong.com (8.14.5/8.14.2) with ESMTP id t6UL7N5I010514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 30 Jul 2015 14:07:23 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20150730205806.GI1667@cisco.com>
Date: Thu, 30 Jul 2015 14:07:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <33A0B18B-5C9D-4DC3-9E0B-736D7ECA404F@delong.com>
References: <20150730205806.GI1667@cisco.com>
To: Toerless Eckert <eckert@cisco.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/behave/vuWIoIttRufRrQOaOJoBery1ATA>
Cc: v6ops@ietf.org, behave@ietf.org
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 21:07:57 -0000

> On Jul 30, 2015, at 13:58 , Toerless Eckert <eckert@cisco.com> wrote:
> 
> For autonomic networking (ANIMA WG), we are planning to rely only on IPv6 for initial
> autonomic connectivity, and the question of connecting this (at least initially)
> to IPv4 only NOC equipment came up. Alas, IPv6 support in transport seems to be still
> weak on a range of commonly used NOC tools.
> 
> If i understand the NAT RFCs and behave output correctly, we primaerily
> want ALGs to go the way of the dodo, so i was wondering if there might be
> any crucial protocols between typical NOC equipment and network devices that
> would require ALGs. And better of course:knowing which protocols would be fine
> without ALG.
> 
> Are there any lists about this (eg: what requires ALG ?)
> 
> Wrt to what seems to be important between NOC and network devices:
> 
>   FTP     - NOK (requires ALG) - IMHO not a problem

FTP should be long deprecated for the most part anyway, however, PASV
mode FTP (if you must use FTP) should be OK without need of an ALG.

>   traceroute - ??  (initiated from v4 NOC) ??
>   telnet  - OK 
>   ping    - OK ?

Should generally be OK. Requests must come from translated side of
the host pair. Responses can come from either side, but to be meaningful,
need to be responding from native side to translated side.

>   SSH/SCP - OK
>   syslog  - OK
>   TFTP    - OK ?

Should be OK, depending on which side is client. (client has to be the
private address/translated side of the connection).

>   radius  - OK ? (i ran some tests, seemed to be fine)
>   diameter/tacacs+ - OK ?

Should be OK, again, assuming favorable directionality.

If RADIUS/TACACS server is on translated side and router is on native side,
then this will not work without an ALG or some other hackery.

>   NTP     - OK ???

Same directionality considerations apply here.

>   For the following, that have extensible data-models (MIBs/OIDs, XML schema etc.),
>   i can see that some NOC tools relying on them might not support data-models
>   with IPv6, but that would be "fine" (aka: can't manage everything from such tools,
>   but transport stack works):
> 
>   netconf - OK ?
>   SNMP    - OK ?

Should be OK, assuming favorable directionality.

HTTP
HTTPs
SMTP
IMAP

sFlow/cFlow/etc.

Owen

v2.23.0 | Report a Bug | By Email