[BEHAVE] Review Part 2(final) of draft-ietf-behave-v6v4-xlate-stateful-03
George Tsirtsis <tsirtsis@googlemail.com> Wed, 25 November 2009 12:17 UTC
Return-Path: <tsirtsis@googlemail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33DA23A6925 for <behave@core3.amsl.com>; Wed, 25 Nov 2009 04:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.796
X-Spam-Level:
X-Spam-Status: No, score=-0.796 tagged_above=-999 required=5 tests=[AWL=0.581, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZbU2yrzGPICp for <behave@core3.amsl.com>; Wed, 25 Nov 2009 04:17:25 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 8C00D3A68FD for <behave@ietf.org>; Wed, 25 Nov 2009 04:17:24 -0800 (PST)
Received: by fxm5 with SMTP id 5so6871406fxm.28 for <behave@ietf.org>; Wed, 25 Nov 2009 04:17:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=ezVHMgzP7gM/ChQr3HtjR0P06zBVcTjFMoL/nz9aAzw=; b=r4gHZvwM5sgtx1MavVa5Mh3FscT9bU27xAaf9z9GJsCv+hxXT3QmEYCQBjGkN9ed0Z HDaMLzoQXgLUiBHNSt5QrNpNAwu4u4yBUwmwkZM3WURfLfAh6SPEbEO3Ou4kbFN3EMD/ JTlMBdfNwB5MGzIzP1b2D0VjjTWFcA136WERk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=VPFg2vRbB1zViDn7DbA9q9Z2A2P3s+m6TfuEkUD/5+8ioOKEglPUWkV4WdKC7R+9pA 60/+anVR9nhPuEae+BTU82v/sd+bbn8n6HcD/yeRwcXvgXGWejWUs592x7ib5JVlWwYu tEInUWgJVqfVp/5E7Gq1E2T0HdFBttOPNRkrk=
MIME-Version: 1.0
Received: by 10.239.197.135 with SMTP id z7mr697938hbi.211.1259151436262; Wed, 25 Nov 2009 04:17:16 -0800 (PST)
Date: Wed, 25 Nov 2009 12:17:16 +0000
Message-ID: <d3886a520911250417l36b4cb02ve40f0a07eefdee66@mail.gmail.com>
From: George Tsirtsis <tsirtsis@googlemail.com>
To: behave@ietf.org
Content-Type: text/plain; charset="UTF-8"
Subject: [BEHAVE] Review Part 2(final) of draft-ietf-behave-v6v4-xlate-stateful-03
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 12:17:28 -0000
Hi all, This continues and concludes my review of draft-ietf-behave-v6v4-xlate-stateful-03 So on with the review from section 3.2.2 where I left it in Part 1.. Regards George ... 3.2.2. TCP Session Handling The state information stored for a TCP session: Binding:(X',x),(Y',y) <--> (T,t),(Z,z) Lifetime: is a timer that tracks the remaining lifetime of the UDP session. The NAT64 decrements this timer at regular intervals. When the timer expires, the TCP session is deleted. If all the TCP sessions corresponding to a TCP BIB entry are deleted, then the TCP BIB entry is also deleted (only applies to the case of dynamically created entries). TCP sessions are expensive, because their inactivity lifetime is set to 2 hours and 4 min (as per [RFC5382]), so it is important that each GT> according to RFC5382: // to 2 hours... / to at least 2 hours.../ TCP session table entry corresponds to an existent TCP session. In order to do that, the NAT64 tracks the TCP connection procedure. In this section we describe how the NAT64 does that tracking by describing the state machine. GT> Maybe rephrase: "In order to do that, for each TCP session established through it, it tracks the corresponding state machine as follows": The states are the following ones: CLOSED V4 SYN RCV V6 SYN RCV ESTABLISHED V4 FIN RCV V6 FIN RCV V6 FIN + V4 FIN RCV RST RCV The state machine for the TCP session processing is depicted next. GT> What state machine is this exactly? It is clearly not the TCP state machine according to RFC793. - Is it a state machine you expect the NAT64 to implement? - on which interface? on the one where the TCP client is or the TCP server? or is this state machine driven by either side (seems this is the case)? - are all states valid for all TCP session? It seems not. A given flow will either be initiated from the IPv6 or from the IPv4 side and thus, only some of these states will be valid for a given session. i think it is not immediately obvious which ones these are which leads to some confusion when reading through this. Bagnulo, et al. Expires May 25, 2010 [Page 18] Internet-Draft NAT64 November 2009 +----------------------------+ +-----------------------------+ | | | | | V V | | V6 +------+ V4 | | +----SYN------|CLOSED|-----SYN------+ | | | +------+ | | | | ^ | | | | |4min T.O. | | | V | V | | +-------+ +-------+ +-------+ | | |V6 SYN | |RST RCV| |V4 SYN | | | | RCV | +-------+ | RCV | | | +-------+ | ^ +-------+ | | | data pkt | | | | | | V4 or V6 RST | | 2Hrs V4 SYN V | V6 SYN | T.O. | +--------------+ | | | +--------->| ESTABLISHED |<---------+ | +--------------------->| | | +--------------+ | | | | V4 FIN V6 FIN | | | | V V | +---------+ +----------+ | | V4 FIN | | V6 FIN | | +---------+ +----------+ | | | | V6 FIN V4 FIN 4 min | | T.O. V V | +-------------------+ | | V4 FIN + V6 FIN |----------------------+ +-------------------+ After bootstrapping of the NAT64 device, all TCP session are in CLOSED state. We next describe the state information and the transitions. GT> RFC793 (which BTW should be referenced) describes the CLOSED state as imaginary...since in practice it only exists on paper to describe the absence of any state. I would also suggest that a brief description of each of the states similar to the ones listed in RFC793, section 3.2 would be useful. A TCP segment with the SYN flag set that is received through the IPv6 interface is called a V6 SYN, similarly, V4 SYN, V4 FIN, V6 FIN, V6 FIN + V4 FIN, V6 RST and V4 RST. *** CLOSED *** If a V6 SYN is received, the processing is as follows: GT> It would be useful to note that this constitutes a TCP session initiation from the IPv6 side to the IPv4 side. It should also be noted that IPv6 packets are only processed if the destination IPv6 address is from Pref64::/n. Bagnulo, et al. Expires May 25, 2010 [Page 19] Internet-Draft NAT64 November 2009 The state of the session is moved to V6 SYN RCV. GT> I think that it is more accurate to first successfully process the packet and then change the state, otherwise if something goes wrong you have to move the state back or move to a different state. The NAT64 searches for a TCP BIB entry that matches the IPv6 source transport address. GT> Use the (X',x) <--> (T,t) notation to describe what this search involves. If such entry does not exists, a new entry is created. GT> What should the NAT64 do if an entry already exists? is this an error or could it be a retransmission? In general I think you should check all the "if" statements to make sure that the "if not" case is also covered. As IPv6 address, the source IPv6 transport address of the packet is included and an IPv4 transport address allocated using the rules defined in Section 3.2.3 is included as the IPv4 transport address. GT> Use the (X',x) <--> (T,t) notation to describe how the new entry is created. Then a new TCP session entry is created in the TCP session table. The information included in the session table is as follows: GT> Again use the (X',x),(Y',y) <--> (T,t),(Z,z) notation. I know this sounds painful but it will make things much clearer. The IPv6 transport source and destination addresses contained in the received V6 SYN packet, The IPv4 transport source address is extracted from the corresponding TCP BIB entry and, the IPv4 transport destination address contains the same port as the IPv6 destination transport address and the IPv4 address that is algorithmically generated from the IPv6 destination address using the reverse algorithm as specified in Section 3.2.5. The lifetime of the TCP session table entry is set to 4 min (the transitory connection idle timeout as defined in [RFC5382]). GT>according to the RFC: //is set to 4 min/is set to at least 4 min/ The packet is translated and forwarded. GT> point to translator draft If a V4 SYN packet is received, the processing is as follows: GT> It would be useful to note that this constitutes a TCP session initiation from the IPv4 side to the IPv6 side. It should also be noted that IPv4 packets are only processed if the destination IPv4 address is from the pool of IPv4 addresses explicitly used by NAT64 for translation. This again ensures that NAT64 does not interfere with packets that do not need translation. If the security policy requires silently dropping externally initiated TCP connections, then the packet is silently discarded, else, GT> What is this "security policy"? this is the first time it is mentioned in the draft. I thought all filtering is either done by BIB or by session entries. If the destination transport address contained in the incoming V4 SYN is not in use in the TCP BIB, then the packet is discarded and an ICMP Port Unreachable error (Type 3, Code 3) is sent back to the source of the v4 SYN. The state remains unchanged in CLOSED If the destination transport address contained in the incoming V4 SYN is in use in the TCP BIB, then GT> Use the (X',x) <--> (T,t) notation to describe what these unsuccessful and then successful searches involve. The state is moved to V4 SYN RCV. GT> Again, I think it might be better if the state is changed after the following processing completes successfully. Bagnulo, et al. Expires May 25, 2010 [Page 20] Internet-Draft NAT64 November 2009 A new session table entry is created in the TCP session table, containing the following information: GT> Use the (X',x) <--> (T,t) notation The transport source and destination address contained in the V4 SYN and, The source IPv6 transport address (in the IPv6 --> IPv4 direction) contained in the existing TCP BIB entry. The destination IPv6 transport address contains the same port than the destination IPv4 transport address and the IPv6 representation of the IPv4 address of the destination IPv4 transport address, generated using the algorithm described in Section 3.2.5. The lifetime of the entry is set to 6 seconds as per [RFC5382]. The packet is discarded. GT> Without reading RFC5382, which describes how this helps simultaneous-open, this sounds very weired and completly unorthodox. Initialy I thought the statement "The packet is discarded" was simple an error and only understood what was going on after talking to Marcelo. It would be beneficial to briefly outline why this is done to provide context to the reader and then encourage them to read RFC5382 for the details. For any other IPv6 packet, depending on the security policy other packets MAY be forwarded or MAY be silently discarded. In any case, the state remains unchanged. GT> this statement sounds hand-waving and wrong. What "other IPv6 packets" it refers to? and "MAY be forwarded or MAY silently discarded" based on what? for example other IPv6 SYN packets to different source/dest? other IPv6 UDP packets? ICMPv6? For any other IPv4 packet, GT> Again what other IPv4 packets? same questions as for IPv6 above. GT> Use the proper notation for the searches If the destination transport address contained in the incoming IPv4 packet is in use in the TCP BIB depending on the security policy other packets MAY be forwarded or MAY be silently discarded. In any case, the state remains unchanged. If the destination transport address contained in the incoming IPv4 packet is not in use in the TCP BIB the packet is silently discarded. *** V4 SYN RCV *** GT> Unlike the CLOSED state where any TCP SYN packets would be processed as defined since these are the only packets that instantiate the state machine, from here one a packet will only affect an instance of the state machine if it matches the BIB and session entries. so this should be examined first again using our favorite notation. If a V6 SYN is received, then the state is moved to ESTABLISHED. G> change state after processing The lifetime of the corresponding TCP session table entry is updated to 2 hours 4 min (the established connection idle timeout as defined in GT> to at least 2 hours and 4 min [RFC5382]). The packet is translated and forwarded. If the lifetime expires, an ICMP Port Unreachable error (Type 3, Code GT> //if the lifetime expires/If no relevant V6 SYN is received and the lifetime of the session entry expires/ 3) is sent back to the source of the v4 SYN, the session table entry is deleted and, the state is moved to CLOSED. For any other packet, depending on the security policy other packets MAY be forwarded or MAY be silently discarded. In any case, the Bagnulo, et al. Expires May 25, 2010 [Page 21] Internet-Draft NAT64 November 2009 state remains unchanged. GT> again hand waving regarding "other" packets. we should state what happens to other packets that match the same BIB/session entries and specifically what happens to other V4SYN packets (e.g. retransmitted) *** V6 SYN RCV *** If a V4 SYN is received (with or without the ACK flag set), then the state is moved to ESTABLISHED. The timer is updated to 2 hours 4 min GT> to at least 2 hours... (the established connection idle timeout as defined in [RFC5382]). The packet is translated and forwarded. If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. GT> //if the lifetime expires/If no relevant V4 SYN is received and the lifetime of the session entry expires/ For any other packet, depending on the security policy other packets MAY be forwarded or MAY be silently discarded. In any case, the state remains unchanged. GT> same hand waving as earlier *** ESTABLISHED *** If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. GT> This could be deleted since it is repeated below. If a V4 FIN packet is received, the packet is translated and forwarded. The state is moved to V4 FIN RCV. If a V6 FIN packet is received, the packet is translated and forwarded. The state is moved to V6 FIN RCV. GT> Be specific about FIN packet matching BIB/session entries. Also what happens to lifetime when you move to FIN RCV? If a packet is received, the packet is translated and forwarded. The lifetime is set to 2 hours and 4 min. The state remains unchanged as ESTABLISHED. GT> Again be more specific i.e., any TCP packet that matches the BIB/Session entries for this TCP state machine resets the timer to at least 2 hours and 4min i.e., the lifetime at the ESTABLISH state is an "idle-timeout" affected by any packet on this session, including regular data TCP packets and TCP keep-alives. This is not the case in some of the other states where only specific control packets affect them. Make similar clarifications for V6/V4 FIN packets If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. If a V4 RST or a V6 RST packet is received, the packet is translated and forwarded. The lifetime is set to 4 min and state is moved to RST RCV. GT> Some justification for this would be useful. *** V4 FIN RCV *** If a packet is received, the packet is translated and forwarded. The GT> be specific on what packet lifetime is set to 2 hours and 4 min. The state remains unchanged as V4 FIN RCV. GT> to at least 2 hours... If a V6 FIN packet is received, the packet is translated and GT> one that matches BIB/session forwarded. The lifetime is set to 4 min. The state is moved to V6 FIN + V4 FIN RCV. GT> to at least 4 min... Bagnulo, et al. Expires May 25, 2010 [Page 22] Internet-Draft NAT64 November 2009 If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. *** V6 FIN RCV *** If a packet is received, the packet is translated and forwarded. The GT> be specific on the packet. lifetime is set to 2 hours and 4 min. The state remains unchanged as V6 FIN RCV. GT> to at least 2 hours... If a V4 FIN packet is received, the packet is translated and forwarded. The lifetime is set to 4 min. The state is moved to V6 FIN + V4 FIN RCV. GT> to at least 4 min... If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. *** V6 FIN + V4 FIN RCV *** All packets are translated and forwarded. GT> be specific on which packets? If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. *** RST RCV *** If a packet is received, the lifetime is set to 2 hours and 4 min and the state is moved to ESTABLISHED. GT> be specific on which packet. If the lifetime expires, the session table entry is deleted and the state is moved to CLOSED. 3.2.3. Rules for allocation of IPv4 transport addresses GT> Shouldn't this section be after section 3.2.4 on ICMP? If the rules specify that a new BIB entry is created for a source transport address of (S',s), then the NAT64 allocates an IPv4 transport address for this BIB entry as follows: If there exists some other BIB entry containing S' as the IPv6 address and mapping it to some IPv4 address T, then use T as the IPv4 address. Otherwise, use any IPv4 address assigned to the IPv4 interface. GT> from the pool specifically used for translation If the port s is in the Well-Known port range 0..1023, then allocate a port t from this same range. Otherwise, if the port s is in the range 1024..65535, then allocate a port t from this range. Furthermore, if port s is even, then t must be even, and if port s is odd, then t must be odd. GT> It is not immediately obvious why the above is so...some justification would be useful. Section 7.1 of RFC5382 provides some justification Bagnulo, et al. Expires May 25, 2010 [Page 23] Internet-Draft NAT64 November 2009 In all cases, the allocated IPv4 transport address (T,t) MUST NOT be in use in another entry in the same BIB, but MAY be in use in the other BIB. GT> I have no clue what this means. If it is not possible to allocate an appropriate IPv4 transport address or create a BIB entry for some reason, then the packet is discarded. GT> are we sure this is appropriate in all cases? should appropriate ICMP error be sent? 3.2.4. ICMP Query Session Handling The state information stored for an ICMP Query session in the ICMP Query session table includes a timer that tracks the remaining lifetime of the session. GT> As with TCP and UDP we should repeat the notation here for the sessions and use it throughout the section The NAT64 decrements this timer at regular intervals. GT> I do not understand what this means.a timer is a timer and it is decremented as time passes. What is missing though it some indication on when the timer is reset to its initial value. When the timer expires, the session is deleted. If all the sessions corresponding to a ICMP Query BIB entry are deleted, then the ICMP Query BIB entry is also deleted in the case of dynamically created entries. GT> for the rest of this sub-section the usual comment sapply i.e., be specific on what packet it is being processed and use our favorit notation to explain how entries are searched or created. An incoming ICMPv6 Informational packet is processed as follows: If the local security policy determines that ICMPv6 Informative packets are to be filtered, the packet is silently discarded. Else, the NAT64 searches for a ICMP Query BIB entry that matches the (IPv6 source address, ICMPv6 Query Id) pair. If such entry does not exist, a new entry is created. As (IPv6 address, ICMPv6 Query Id) pair, the source IPv6 address of the packet and the ICMPv6 Query Identifier are included. The IPv4 address and ICMPv4 Query Identifier values are allocated as follows: If there exists some other BIB entry containing the same IPv6 address and mapping it to some IPv4 address T, then use T as the IPv4 address. Otherwise, use any IPv4 address assigned to the IPv4 interface. As ICMPv4 Identifier use any available value i.e. any identifier value for which no other entry exists with the same (IPv4 address, ICMPv4 Query Id) pair. The NAT64 searches for the session table entry corresponding to the incoming 3-tuple. If no such entry is found, a new entry is created. The information included in the session table is as follows: the IPv6 source and destination addresses contained in the received IPv6 packet, the IPv4 source address, the ICMPv4 Query Id and the ICMPv6 Query Id are extracted from the corresponding ICMP Query BIB entry and the IPv4 destination address is algorithmically generated from the IPv6 destination address using the reverse algorithm as specified in Section 3.2.5. Bagnulo, et al. Expires May 25, 2010 [Page 24] Internet-Draft NAT64 November 2009 The NAT64 sets or resets the timer in the session table entry to maximum session lifetime. By default, the maximum session lifetime is 60 seconds. The maximum lifetime value SHOULD be configurable. The packet is translated and forwarded as described in the following sections. An incoming ICMPv4 Query packet is processed as follows: The NAT64 searches for a ICMP Query BIB entry that matches the IPv4 destination address and ICMPv4 query Id pair. If such entry does not exists, the packet is dropped. An ICMP message MAY be sent to the original sender of the packet, unless the discarded packet is itself an ICMP message. The ICMP message, if sent, has a type of 3 (Destination Unreachable). If the NAT64 filters on its IPv4 interface, then the NAT64 checks to see if the incoming packet is allowed according to the address- dependent filtering rule. To do this, it searches for a session table entry with a source IPv4 address and ICMP Query Id pair equal to the destination IPv4 address and ICMP Query Id in the incoming 3-tuple and destination IPv4 address (in the session table entry) equal to the source IPv4 address in the incoming 3-tuple. If such an entry is found (there may be more than one), packet processing continues. Otherwise, the packet is discarded. If the packet is discarded, then an ICMP message MAY be sent to the original sender of the packet, unless the discarded packet is itself an ICMP message. The ICMP message, if sent, has a type of 3 (Destination Unreachable) and a code of 13 (Communication Administratively Prohibited). The NAT64 searches for the session table entry corresponding to the incoming 3-tuple. If no such entry is found, a new entry is created. The ICMP Query session table entry contains the ICMPv4 Query Identifier, source and destination address contained in the IPv4 packet and the source IPv6 address and the ICMPv6 Query Id (in the IPv6 --> IPv4 direction) contained in the existing ICMP Query BIB entry. The destination IPv6 address contains is the IPv6 representation of the IPv4 address of the destination IPv4 address, generated using the algorithm described in Section 3.2.5. The NAT64 sets or resets the timer in the session table entry to maximum session lifetime. By default, the maximum session lifetime is 60 seconds. The maximum lifetime value SHOULD be configurable. The packet is translated and forwarded as described in the following sections. Bagnulo, et al. Expires May 25, 2010 [Page 25] Internet-Draft NAT64 November 2009 3.2.5. Generation of the IPv6 representations of IPv4 addresses NAT64 support multiple algorithms for the generation of the IPv6 representation of an IPv4 address. The constraints imposed to the generation algorithms are the following: The same algorithm to create an IPv6 address from an IPv4 address MUST be used by: The DNS64 to create the IPv6 address to be returned in the synthetic AAAA RR from the IPv4 address contained in original A RR, and, The NAT64 to create the IPv6 address to be included in the destination address field of the outgoing IPv6 packets from the IPv4 address included in the destination address field of the incoming IPv4 packet. The algorithm MUST be reversible, i.e. it MUST be possible to extract the original IPv4 address from the IPv6 representation. The input for the algorithm MUST be limited to the IPv4 address, the IPv6 prefix (denoted Pref64::/n) used in the IPv6 representations and optionally a set of stable parameters that are configured in the NAT64 (such as fixed string to be used as a suffix). GT> In this case the same "set of stable parameters" has to also be configured in DNS64? If we note n the length of the prefix Pref64::/n, then n MUST the less or equal than 96. If a Pref64::/n is configured through any means in the DNS64 (such as manually configured, or other automatic mean not specified in this document), the default algorithm MUST use this prefix. If no prefix is available, the algorithm MUST use the Well-Known prefix (include here the prefix to be assigned by IANA) defined in [I-D.ietf-behave-address-format] GT> In either case, for a site using a given NAT64, the Prefix64::/ MUST be uniquely routable to the NAT64 function defined here, correct? This prefix I assume should be globally routable? this seems necessary if the IPv6 side is the whole IPv6 Internet....but is this required even in if the IPv6 site is a stab connected to the IPv4 Internet? Or maybe all this is defined in draft-ietf-behave-address-format; if that is the case then point to it not just for the format but for other requirements on the Prefix64. NAT64 MUST support the following algorithms for generating IPv6 representations of IPv4 addresses defined in [I-D.ietf-behave-address-format]: Zero-Pad And Embed, defined in section 3.2.3 of [I-D.ietf-behave-address-format] Compensation-Pad And Embed, defined in section of 3.2.4 of [I-D.ietf-behave-address-format] Embed And Zero-Pad, defined in section of 3.2.5 of [I-D.ietf-behave-address-format] Bagnulo, et al. Expires May 25, 2010 [Page 26] Internet-Draft NAT64 November 2009 Preconfigured Mapping Table, defined in section of 3.2.6 of [I-D.ietf-behave-address-format] GT> The pointers need updating The default algorithm used by NAT64 must be Embed and Zero-Pad. While the normative description of the algorithms is provided in [I-D.ietf-behave-address-format]. GT> is the "must" above normative? should it be "MUST"? 3.3. Computing the Outgoing Tuple This step computes the outgoing tuple by translating the addresses and ports or ICMP Query Id in the incoming tuple. In the text below, a reference to the the "BIB" means either the TCP BIB the UDP BIB or the ICMP Query BIB as appropriate. NOTE: Not all addresses are translated using the BIB. BIB entries are used to translate IPv6 source transport addresses to IPv4 source transport addresses, and IPv4 destination transport addresses to IPv6 destination transport addresses. They are NOT used to translate IPv6 destination transport addresses to IPv4 destination transport addresses, nor to translate IPv4 source transport addresses to IPv6 source transport addresses. The latter cases are handled applying the algorithmic transformation described in Section 3.2.5. This distinction is important; without it, hairpinning doesn't work correctly. 3.3.1. Computing the outgoing 5-tuple for TCP, UDP and ICMP error messages The transport protocol in the outgoing 5-tuple is always the same as that in the incoming 5-tuple. When translating in the IPv6 --> IPv4 direction, let the incoming source and destination transport addresses in the 5-tuple be (S',s) and (D',d) respectively. The outgoing source transport address is computed as follows: the BIB contains a entry (S',s) <--> (T,t), then the outgoing source transport address is (T,t). The outgoing destination address is computed algorithmically from D' using the address transformation described in Section 3.2.5. When translating in the IPv4 --> IPv6 direction, let the incoming source and destination transport addresses in the 5-tuple be (S,s) and (D,d) respectively. The outgoing source transport address is computed as follows: The outgoing source transport address is generated from S using the address transformation algorithm described in Section 3.2.5. Bagnulo, et al. Expires May 25, 2010 [Page 27] Internet-Draft NAT64 November 2009 The outgoing destination transport address is computed as follows: If the BIB contains an entry (X',x) <--> (D,d), then the outgoing destination transport address is (X',x). Otherwise, discard the packet. GT> This section is about calculating a tuple. the decision to discard a packet seems completly out of place. If the rules specify that the packet is discarded, then the NAT64 MAY send an ICMP reply to the original sender, unless the packet being translated contains an ICMP message. The type should be 3 (Destination Unreachable) and the code should be 0 (Network Unreachable in IPv4, and No Route to Destination in IPv6). GT> same here, looks out of place. 3.3.2. Computing the outgoing 3-tuple for ICMP Query messages When translating in the IPv6 --> IPv4 direction, let the incoming source and destination addresses in the 3-tuple be S' and D' respectively and the ICMPv6 Query Identifier be I1. The outgoing source address is computed as follows: the BIB contains a entry (S',I1) <--> (T,I2), then the outgoing source address is T and the ICMPv4 Query Id is I2. The outgoing IPv4 destination address is computed algorithmically from D' using the address transformation described in Section 3.2.5. When translating in the IPv4 --> IPv6 direction, let the incoming source and destination addresses in the 3-tuple be S and D respectively and the ICMPv4 query Id is I2. The outgoing source address is generated from S using the address transformation algorithm described in Section 3.2.5. The outgoing destination address and ICMPv6 Query Id are computed as follows: If the BIB contains an entry (X',I1) <--> (D,I2), then the outgoing destination address is X' and the outgoing ICMPv6 Query Id is I1. Otherwise, discard the packet. GT> same here NOTE: Not sure if this applies to ICMP query messages....If the rules specify that the packet is discarded, then the NAT64 MAY send an ICMP reply to the original sender, unless the packet being translated contains an ICMP message. The type should be 3 (Destination Unreachable) and the code should be 0 (Network Unreachable in IPv4, and No Route to Destination in IPv6). GT> same here Bagnulo, et al. Expires May 25, 2010 [Page 28] Internet-Draft NAT64 November 2009 3.4. Translating the Packet This step translates the packet from IPv6 to IPv4 or vice-versa. The translation of the packet is as specified in section 3 and section 4 of IP/ICMP Translation Algorithm [I-D.ietf-behave-v6v4-xlate], with the following modifications: o When translating an IP header (sections 3.1 and 4.1), the source and destination IP address fields are set to the source and destination IP addresses from the outgoing 5-tuple. GT> clarify that the outgoing 5-tuple is defined in an earlier section of this document. o When the protocol following the IP header is TCP or UDP, then the source and destination ports are modified to the source and destination ports from the outgoing 5-tuple. In addition, the TCP or UDP checksum must also be updated to reflect the translated addresses and ports; note that the TCP and UDP checksum covers the pseudo-header which contains the source and destination IP addresses. An algorithm for efficiently updating these checksums is described in [RFC3022]. o When the protocol following the IP header is ICMP and it is an ICMP Query message, the ICMP query Identifier is set to the one of the outgoing 3-tuple. GT> clarify that the outgoing 3-tuple is defined in an earlier section of this document. o When the protocol following the IP header is ICMP (sections 3.4 and 4.4) and it is an ICMP error message, the source and destination transport addresses in the embedded packet are set to the destination and source transport addresses from the outgoing 5-tuple (note the swap of source and destination). The size of outgoing packets as well and the potential need for fragmentation is done according to the behavior defined in IP/ICMP Translation Algorithm [I-D.ietf-behave-v6v4-xlate] 3.5. Handling Hairpinning This step handles hairpinning if necessary. If the destination IP address is an address assigned to the NAT64 itself (i.e., is one of the IPv4 addresses assigned to the IPv4 interface, or is covered by the Pref64::/n prefix assigned to the IPv6 interface), then the packet is a hairpin packet. GT> This is not a sufficient definition of "hairpinning"....since it describes ALL packets that go through the NAT64. Hairpinning is defined in detail in Section 6 of RFC4787, and more compactly Section 7.2 of RFC5382. to paraphrase the latter: " A NAT64 that forwards packets originating from an IPv6 address, destined for an IPv4 address that matches the active mapping for another IPv6 address, back to that IPv6 address are defined as as supporting "hairpinning". " The outgoing 5-tuple becomes the incoming 5-tuple, and the packet is treated as if it was received on the outgoing interface. Processing of the packet continues at step 2 Section 3.2 Bagnulo, et al. Expires May 25, 2010 [Page 29] Internet-Draft NAT64 November 2009 4. Application scenarios GT> this is clearly no longer normative. I wonder if it should be either moved to the front or placed in an appendix. In this section, we describe how to apply NAT64/DNS64 to the suitable scenarios described in [I-D.ietf-behave-v6v4-framework] . GT> That's it....the security section looks ok so far, but I will try to check it again in more detail during WGLC or closer to it.
- [BEHAVE] Review Part 2(final) of draft-ietf-behav… George Tsirtsis
- Re: [BEHAVE] Review Part 2(final) of draft-ietf-b… marcelo bagnulo braun