Re: [Int-area] IPv4 address sharing abuse [was RE: draft-boucadair-intarea-nat-reveal-analysis]
Jason Fesler <jfesler@yahoo-inc.com> Thu, 08 September 2011 20:12 UTC
Return-Path: <jfesler@yahoo-inc.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD14921F8ACE for <int-area@ietfa.amsl.com>; Thu, 8 Sep 2011 13:12:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.264
X-Spam-Level:
X-Spam-Status: No, score=-17.264 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, NO_RDNS_DOTCOM_HELO=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kGDrIVdCt70u for <int-area@ietfa.amsl.com>; Thu, 8 Sep 2011 13:12:34 -0700 (PDT)
Received: from mrout2-b.corp.re1.yahoo.com (mrout2-b.corp.re1.yahoo.com [69.147.107.21]) by ietfa.amsl.com (Postfix) with ESMTP id 074B121F8997 for <int-area@ietf.org>; Thu, 8 Sep 2011 13:12:33 -0700 (PDT)
Received: from sp1-ex07cas01.ds.corp.yahoo.com (sp1-ex07cas01.ds.corp.yahoo.com [216.252.116.137]) by mrout2-b.corp.re1.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id p88KE5RT050365; Thu, 8 Sep 2011 13:14:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1315512846; bh=7aqd3aJwQhWmT8NF63ewvYhz1Qi8U/Bhh2Tolp5yxO0=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=jwoih3AlG9jXwzK/GuyaXtArPo5OBBdR/RubGkdFfBlSlQk9NxuSNaHRTnzTmCKlc fRj4pIw9MSCbVb40stXdhGJGvOS5PJfDviSYQQI9Yn3S92DlQx+HNNL0MMkA/ROTwg GJ3m35xgqros3CJuASm/IIqc5yOmbJzny4BuosUY=
Received: from SP1-EX07VS01.ds.corp.yahoo.com ([216.252.116.139]) by sp1-ex07cas01.ds.corp.yahoo.com ([216.252.116.137]) with mapi; Thu, 8 Sep 2011 13:14:06 -0700
From: Jason Fesler <jfesler@yahoo-inc.com>
To: Dan Wing <dwing@cisco.com>, "int-area@ietf.org" <int-area@ietf.org>
Date: Thu, 08 Sep 2011 13:14:04 -0700
Thread-Topic: [Int-area] IPv4 address sharing abuse [was RE: draft-boucadair-intarea-nat-reveal-analysis]
Thread-Index: AcxuY9tu4HKGg72nRuKcsdLVFdzEnw==
Message-ID: <5D4F4E98-DCC7-4205-B981-824DDA16E1B2@yahoo-inc.com>
References: <020601cc6e3f$d738f150$85aad3f0$@com>
In-Reply-To: <020601cc6e3f$d738f150$85aad3f0$@com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Igor Gashinsky <igor@yahoo-inc.com>
Subject: Re: [Int-area] IPv4 address sharing abuse [was RE: draft-boucadair-intarea-nat-reveal-analysis]
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 20:12:34 -0000
Dan alerted me to this thread (Thanks). Responding to what I see in the list archives. First, I'd like to thank the contributors of draft-boucadair-intarea-nat-reveal-analysis, as well as RFC6269. Today, we already have problems with the NATs deployed both at the enterprise level, as well as the prevalence of NAT in some countries. Denying based on an IPv4/32 address is the last thing we want to do; it causes real harm. However, there are times we must do so, to keep the service functional for others. For us, having a HOST_ID represented in some fashion, is highly desirable. This would be useful even if it was only partially persistent for a given subscriber. if it had similar lifespans as DHCP or PPP, it would still be enough to single out a single bad actor distinctly from a pool of hundreds of other good actors, within a single IPv4/32 community. Lee Howard, you wrote: > The stack or application on the other side of the connection would also > have to be updated. For instance, the web server. Or the p2p client? Should some form of nat revealing become standard, we would implement it. If nothing standards-wise comes of this, then we would likely still pursue draft-wing-nat-reveal-option with strategic partner ISPs. We are most troubled by TCP (HTTP, SMTP, POP, IMAP); we worry less about addressing the UDP aspects mentioned. Modifying a few web apps and the kernel are NOT a barrier for us. If any standard does come about, I'm certain that the apps used by the larger content operators will see updates to support those new standards. As to the legality of this in EU: I'm not a lawyer. That said, our support of nat revealing is not contingent on EU deployment. -jason
- Re: [Int-area] IPv4 address sharing abuse [was RE… Jason Fesler