Re: NAT behavior for IP ID field
Fernando Gont <fernando@gont.com.ar> Fri, 10 September 2010 20:59 UTC
Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C276C3A6884 for <ietf@core3.amsl.com>; Fri, 10 Sep 2010 13:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.532
X-Spam-Level:
X-Spam-Status: No, score=-2.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WX+oE6lcqX5C for <ietf@core3.amsl.com>; Fri, 10 Sep 2010 13:59:52 -0700 (PDT)
Received: from mail-yx0-f194.google.com (mail-yx0-f194.google.com [209.85.213.194]) by core3.amsl.com (Postfix) with ESMTP id B0F603A682A for <ietf@ietf.org>; Fri, 10 Sep 2010 13:59:52 -0700 (PDT)
Received: by yxj4 with SMTP id 4so523064yxj.1 for <ietf@ietf.org>; Fri, 10 Sep 2010 14:00:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=2aJVsVWx0tShzI87at7AC3GhHFQ/ARxJ7PvK0pwJ+JI=; b=k9FnF7ksuqjFfCRyPQTl5YTM2Al7hii/QI2vtDmUPU1atCCc3GT7L7wscMv3EDX91G BxKt6Ji3KihYnc0qRFVzjAVzjoYvZWqUtzpSIl2LyzCHhFcxA96hBRRRjsSdHjN55i2u loHlznOouYjlk/efiB0K03tgUPLs3Sxd59L7I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=bqWMC7h/11TbsoI53XrR3OvgDjPk4c9yJr0q1Po6lwx+6+FfhfSJbXo8+6zeKB5T2N LBS7o5V2R9lTLkeNyueA8ssTovtIPD4GqYtzGO9I7Y+5F5QlVB0V5mwUZ8mYeAk+cmZk 4Ff00mcjpVKs3/QH6thJTloFmm/Rswl3qf6IY=
Received: by 10.100.138.6 with SMTP id l6mr1291469and.192.1284152419614; Fri, 10 Sep 2010 14:00:19 -0700 (PDT)
Received: from [192.168.2.12] ([186.137.83.109]) by mx.google.com with ESMTPS id u14sm4462897ann.0.2010.09.10.14.00.11 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 10 Sep 2010 14:00:17 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4C8A962A.6080202@gont.com.ar>
Date: Fri, 10 Sep 2010 17:33:46 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: "t.petch" <daedulus@btconnect.com>
Subject: Re: NAT behavior for IP ID field
References: <20100831150444.22bd579e@t61p> <D0D68D38-84CD-4773-BB7E-328E1A31898A@muada.com> <00c601cb4a75$e428cfa0$4001a8c0@gateway.2wire.net>
In-Reply-To: <00c601cb4a75$e428cfa0$4001a8c0@gateway.2wire.net>
X-Enigmail-Version: 0.96.0
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 20:59:53 -0000
Hi, >>> I'm trying to locate an RFC that spells out the behavioral >>> requirements, expectations or guidelines for NAT handling of the IP ID >>> field, particularly for UDP messages. >>> If this is not written down anywhere, do NATs generally rewrite the ID >>> field with or without the MF bit set? >> I don't know. >> >> We had a discussion about this in the BEHAVE working group while working on > stateful IPv6-to-IPv4 translation. Unless I missed something, the ID field needs > uniqueness for any combination of source, destination IP addresses and protocol. > Assuming the source address doesn't change, this means an ID counter should be > maintained per destination address + protocol pair, so the maximum number of > packets can be transmitted for each such pair before an ID value is reused. This > would be the optimal host behavior, and NATs should act like hosts in this > regard. Reusing the ID field from the original packet has a much higher chance > of seeing the same ID field for outstanding fragments of a different flow, which > can cause undetected data corruption in 1 in 65535 cases when the TCP/UDP > checksum doesn't catch this. The same applies to other TCP and IP header fields. draft-gont-behave-nat-security contains some discussion of this. > Curious; RFC2402 says > " Flags -- This field is excluded since an intermediate router might > set the DF bit, even if the source did not select it." > which is a licence to set the bit but I had not thought to reset the bit. > RFC791, RFC1122 and RFC1812 would appear to be silent on this. I'm curious abut RFC 2402, then. Firstly, the host might not implement PMTUD, and hence setting the DF bit on its behalf could possibly cause interoperability problems. Secondly, some hosts clear the DF bit if the advertised MTU in an ICMP "frag needed" is below some specified threshols. This RFC2402-behavior could cause problems in this scenario, too. Thanks, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- NAT behavior for IP ID field John Kristoff
- Re: NAT behavior for IP ID field Iljitsch van Beijnum
- Re: NAT behavior for IP ID field t.petch
- Re: NAT behavior for IP ID field Iljitsch van Beijnum
- Re: NAT behavior for IP ID field Fernando Gont
- Re: NAT behavior for IP ID field Stephen Kent
- Re: NAT behavior for IP ID field Joe Touch