[Int-area] AD evaluation: draft-ietf-intarea-nat-reveal-analysis
Brian Haberman <brian@innovationslab.net> Mon, 11 February 2013 21:11 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4303D21F8972 for <int-area@ietfa.amsl.com>; Mon, 11 Feb 2013 13:11:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.563
X-Spam-Level:
X-Spam-Status: No, score=-102.563 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3i3gL1YXFKsp for <int-area@ietfa.amsl.com>; Mon, 11 Feb 2013 13:11:52 -0800 (PST)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) by ietfa.amsl.com (Postfix) with ESMTP id ECD3B21F8A80 for <int-area@ietf.org>; Mon, 11 Feb 2013 13:11:51 -0800 (PST)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 1E00E88186; Mon, 11 Feb 2013 13:11:50 -0800 (PST)
Received: from 102529252.rudm1.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id B9E1F13000C; Mon, 11 Feb 2013 13:11:49 -0800 (PST)
Message-ID: <51195E93.4090103@innovationslab.net>
Date: Mon, 11 Feb 2013 16:11:47 -0500
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: int-area@ietf.org, draft-ietf-intarea-nat-reveal-analysis@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [Int-area] AD evaluation: draft-ietf-intarea-nat-reveal-analysis
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 21:11:54 -0000
All, I have completed my AD evaluation for the above draft and have some feedback for the group. I will focus on the substantive comments for the time being since some of them may result in re-written text in places. I will follow up with the document authors on editorial nits and such at a later time. 1. It is obvious from the way certain sections of text are written that the original intent was to make a recommendation on which of the described approaches should be used to disambiguate between multiple hosts behind a NAT/CGN. Given that the document is now simply a characterization of those mechanisms, I would suggest spending some time cleaning up the Abstract, Section 1.1, and Section 2 so that they focus on the task of describing the mechanisms, rather than mentioning abstract requirements for those mechanisms. There are concrete suggestions a little later in this note. 2. The mechanisms described in this draft fall into two broad categories, deployed and proposed. Those in the former category can be characterized based on actual usage scenarios, which would benefit the table shown in Figure 3. The latter should be described in terms of what they are proposed to do, but cannot be assessed against the same metrics as the other groups. 3. The "Requirements Language" section should be removed. As an Informational document describing mechanisms, there is no need to leverage 2119 keywords. 4. It would be useful if the third paragraph of Section 1.1 was expanded to discuss the risks in more detail. In fact, it may be clearer to understand this draft if the problem statement came before the context (Section 2). 5. Section 2 * The Observation text should provide some brief examples of how and why special treatment is needed/provided. Is it sufficient to identify the sending host? application? user? It should also note that there may be issues with the fact that some IP addresses will be shared and others may not. How does that impact the performance of these mechanisms? * I would like some text in the Objective text to explain why such sorting is needed. This relates back to the Context description in Section 1.1. * I don't think there needs to be a description of a Requirement in this document any more, so that text can be removed. 6. Section 3.1 should be removed. This is simply an analysis of the mechanisms, so there is no new work which needs requirements defined at this point. 7. In Section 4.1.2, it would be good to describe any issues that the approach has with the original use of the Identification field for fragmentation reassembly. If a middlebox changes the ID field, weird things can/will happen if those packets are fragmented somewhere. 8. I don't see a need for a forward reference in Section 4.2.2. I would suggest simply stating that the IP Option approach will support any/all transport protocols. 9. In Section 4.3.2... * I would like to see some description of what risk(s) may arise with a TCP option, even though they are apparently low probability. * Additionally, the text contains "0,103%", which I assume should be "0.103%" (i.e., 1/10th of 1%). *The third bullet mentions that having several NATs in the path may cause issues for a TCP option. Isn't this true for other approaches discussed in the document? These should be identified as well. 10. In Section 4.5.1, I would suggest adding some text that describes how to interpret Figure 2. 11. Is Section 4.6 theoretical or is there a specific reference that can be added for this technique? 12. Section 4.7.2 should clearly state that HIP is an ideal solution for this identification problem, even though the document states there is a high cost for deployment. I would also like to see some description of why HIP does not work if "the address sharing function is required to act as a UDP/TCP-HIP relay". 13. Section 4.8.2 * The text says that the ICMP approach is viable for TCP and UDP. Any reason why it may be an issue for other transport protocols (e.g., SCTP or RTP)? * I would also like to see some text describing why the approach is not compatible with cascading NATs. * The last bullet mentions FMC and Open WiFi with no context or references. These should either have references or their mention should be removed since they don't add much to the description. The same goes for their mention in Section 4.9.2 (8th bullet). 14. In Section 4.9.2 (3rd bullet), is the solution to publish this info in DNS or is that just an example approach? This should be clarified. 15. Section 5 * Shouldn't there be an additional metric that covers the impact/cost of needing client or middlebox code changes? * Where did the 100% success ratio for IP-ID come from? There have been documented cases of OSes setting the Identification field to zero. If that is true, the success ratio can't be 100% can it? * Given the goal of this document to describe these identification mechanisms, I don't see the need for the last bulleted list. Regards, Brian
- [Int-area] AD evaluation: draft-ietf-intarea-nat-… Brian Haberman
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Suresh Krishnan
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Brian Haberman
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… mohamed.boucadair
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Behcet Sarikaya
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Suresh Krishnan
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Suresh Krishnan
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… mohamed.boucadair
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Brian Haberman
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Brian Haberman
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… mohamed.boucadair
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Behcet Sarikaya
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… mohamed.boucadair
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Brian Haberman
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Behcet Sarikaya
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… mohamed.boucadair
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Behcet Sarikaya
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Joe Touch
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… mohamed.boucadair
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Behcet Sarikaya
- Re: [Int-area] AD evaluation: draft-ietf-intarea-… Dan Wing