IETF Logo Mail Archive

Re: WG Review: Behavior Engineering for Hindrance Avoidance (behave) (fwd)

Melinda Shore <mshore@cisco.com> Mon, 20 September 2004 23:18 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA06152; Mon, 20 Sep 2004 19:18:13 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1C9XWV-0005nv-Jh; Mon, 20 Sep 2004 19:24:44 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C9XLu-0002hr-Dc; Mon, 20 Sep 2004 19:13:46 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C9XHz-0001pk-5y; Mon, 20 Sep 2004 19:09:43 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA05347; Mon, 20 Sep 2004 19:09:40 -0400 (EDT)
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1C9XOD-0005cW-6f; Mon, 20 Sep 2004 19:16:10 -0400
Received: from sj-core-2.cisco.com (171.71.177.254) by sj-iport-1.cisco.com with ESMTP; 20 Sep 2004 16:14:04 -0700
X-BrightmailFiltered: true
Received: from mira-sjc5-c.cisco.com (IDENT:mirapoint@mira-sjc5-c.cisco.com [171.71.163.17]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id i8KN93wp011369; Mon, 20 Sep 2004 16:09:03 -0700 (PDT)
Received: from cisco.com ([10.25.65.179]) by mira-sjc5-c.cisco.com (MOS 3.4.5-GR) with SMTP id AZF13022; Mon, 20 Sep 2004 16:09:06 -0700 (PDT)
Date: Mon, 20 Sep 2004 19:08:41 -0400
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Mime-Version: 1.0 (Apple Message framework v553)
To: Bob Hinden <bob.hinden@nokia.com>
From: Melinda Shore <mshore@cisco.com>
In-Reply-To: <6.1.2.0.2.20040920145359.01d33748@mailhost.iprg.nokia.com>
Message-Id: <0330B107-0B5A-11D9-99F9-000A95E35274@cisco.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.553)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org, iesg@ietf.org
Subject: Re: WG Review: Behavior Engineering for Hindrance Avoidance (behave) (fwd)
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Content-Transfer-Encoding: 7bit

On Monday, September 20, 2004, at 06:09 PM, Bob Hinden wrote:
> I think this ship has left port a long time ago and the likelihood 
> that the IETF can now effect enough change to make it possible to 
> write new applications that work consistently in the presence of NATs 
> is very low.   The installed base is much to large and NAT is showing 
> up in devices being built by people who don't pay too much attention 
> to the IETF.  The same folks who do not build in IPv6, who break path 
> MTU discovery, who strip out TCP options, etc.  Now we expect them to 
> build "good" NATs...

I'm ambivalent about it for some of the reasons you mention, plus 
others.
I think it's important to understand that NAT really is going to be with
us for the foreseeable future.  It's fairly common now to have corporate
security auditors require the use of NAT as a security device.  That's
a big fat training and cultural problem, and I don't see how the IETF
would be able to change it.  I don't think that it's completely 
unthinkable
that the *unavailability* of v6 NAT might hold up a transition to v6 in
some corporate environments because of their undereducated security 
auditors.

The other thing that's important to understand is that there are often
big changes between firmware releases for many consumer NAT products, 
and
that NAT vendors tend not to see making those changes as a terrificly 
huge
deal.  I don't think I agree with your concerns about lack of interest 
in
implementation.

That said, this work in the IETF is being driven by people whose 
protocols
break when they have a NAT in the path.  I have some concerns about
underinvolvement by people who build NATs for a living, but I think that
it's important to at least get some requirements laid out so that it's
clear what NAT manufacturers could be doing if they were interested.  
And
I think they are interested - they're hearing complaints from their
customers.  My biggest concerns are about 1) scope creep, and 2) a bunch
of workarounds being cobbled together and interfering with getting 
something
better deployed.  People who attended the IETF 60 BOF showed some 
enthusiasm
for specifying inspection behaviors, which is pretty appalling on 
several
levels.  On the second point, I think there's legitimate concern that 
this
is part of a process of developing a big jumble of duct tape and baling
wire.  Part of the problem here is that there's not yet a deployed 
solution
for communicating directly with NATs, so in the interim we're doing 
STUN.
STUN, however, doesn't work across certain varieties of NATs, so "good" 
NAT
behavior has to be specified.  And so it goes.

Melinda


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email