IETF Logo Mail Archive

[Int-area] AD evaluation: draft-ietf-intarea-nat-reveal-analysis

Brian Haberman <brian@innovationslab.net> Mon, 11 February 2013 21:11 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4303D21F8972 for <int-area@ietfa.amsl.com>; Mon, 11 Feb 2013 13:11:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.563
X-Spam-Level:
X-Spam-Status: No, score=-102.563 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3i3gL1YXFKsp for <int-area@ietfa.amsl.com>; Mon, 11 Feb 2013 13:11:52 -0800 (PST)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) by ietfa.amsl.com (Postfix) with ESMTP id ECD3B21F8A80 for <int-area@ietf.org>; Mon, 11 Feb 2013 13:11:51 -0800 (PST)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 1E00E88186; Mon, 11 Feb 2013 13:11:50 -0800 (PST)
Received: from 102529252.rudm1.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id B9E1F13000C; Mon, 11 Feb 2013 13:11:49 -0800 (PST)
Message-ID: <51195E93.4090103@innovationslab.net>
Date: Mon, 11 Feb 2013 16:11:47 -0500
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: int-area@ietf.org, draft-ietf-intarea-nat-reveal-analysis@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [Int-area] AD evaluation: draft-ietf-intarea-nat-reveal-analysis
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 21:11:54 -0000

All,
      I have completed my AD evaluation for the above draft and have 
some feedback for the group.  I will focus on the substantive comments 
for the time being since some of them may result in re-written text in 
places.  I will follow up with the document authors on editorial nits 
and such at a later time.

1. It is obvious from the way certain sections of text are written that 
the original intent was to make a recommendation on which of the 
described approaches should be used to disambiguate between multiple 
hosts behind a NAT/CGN.  Given that the document is now simply a 
characterization of those mechanisms, I would suggest spending some time 
cleaning up the Abstract, Section 1.1, and Section 2 so that they focus 
on the task of describing the mechanisms, rather than mentioning 
abstract requirements for those mechanisms. There are concrete 
suggestions a little later in this note.

2. The mechanisms described in this draft fall into two broad 
categories, deployed and proposed. Those in the former category can be 
characterized based on actual usage scenarios, which would benefit the 
table shown in Figure 3. The latter should be described in terms of what 
they are proposed to do, but cannot be assessed against the same metrics 
as the other groups.

3. The "Requirements Language" section should be removed.  As an 
Informational document describing mechanisms, there is no need to 
leverage 2119 keywords.

4. It would be useful if the third paragraph of Section 1.1 was expanded 
to discuss the risks in more detail.  In fact, it may be clearer to 
understand this draft if the problem statement came before the context 
(Section 2).

5. Section 2

* The Observation text should provide some brief examples of how and why 
special treatment is needed/provided.  Is it sufficient to identify the 
sending host? application? user? It should also note that there may be 
issues with the fact that some IP addresses will be shared and others 
may not.  How does that impact the performance of these mechanisms?

* I would like some text in the Objective text to explain why such 
sorting is needed.  This relates back to the Context description in 
Section 1.1.

* I don't think there needs to be a description of a Requirement in this 
document any more, so that text can be removed.

6. Section 3.1 should be removed.  This is simply an analysis of the 
mechanisms, so there is no new work which needs requirements defined at 
this point.

7. In Section 4.1.2, it would be good to describe any issues that the 
approach has with the original use of the Identification field for 
fragmentation reassembly.  If a middlebox changes the ID field, weird 
things can/will happen if those packets are fragmented somewhere.

8. I don't see a need for a forward reference in Section 4.2.2. I would 
suggest simply stating that the IP Option approach will support any/all 
transport protocols.

9. In Section 4.3.2...

* I would like to see some description of what risk(s) may arise with a 
TCP option, even though they are apparently low probability.

* Additionally, the text contains "0,103%", which I assume should be 
"0.103%" (i.e., 1/10th of 1%).

*The third bullet mentions that having several NATs in the path may 
cause issues for a TCP option.  Isn't this true for other approaches 
discussed in the document?  These should be identified as well.

10. In Section 4.5.1, I would suggest adding some text that describes 
how to interpret Figure 2.

11. Is Section 4.6 theoretical or is there a specific reference that can 
be added for this technique?

12. Section 4.7.2 should clearly state that HIP is an ideal solution for 
this identification problem, even though the document states there is a 
high cost for deployment. I would also like to see some description of 
why HIP does not work if "the address sharing function is required to 
act as a UDP/TCP-HIP relay".

13. Section 4.8.2

* The text says that the ICMP approach is viable for TCP and UDP.  Any 
reason why it may be an issue for other transport protocols (e.g., SCTP 
or RTP)?

* I would also like to see some text describing why the approach is not 
compatible with cascading NATs.

* The last bullet mentions FMC and Open WiFi with no context or 
references.  These should either have references or their mention should 
be removed since they don't add much to the description.  The same goes 
for their mention in Section 4.9.2 (8th bullet).

14. In Section 4.9.2 (3rd bullet), is the solution to publish this info 
in DNS or is that just an example approach?  This should be clarified.

15. Section 5

* Shouldn't there be an additional metric that covers the impact/cost of 
needing client or middlebox code changes?

* Where did the 100% success ratio for IP-ID come from?  There have been 
documented cases of OSes setting the Identification field to zero.  If 
that is true, the success ratio can't be 100% can it?

* Given the goal of this document to describe these identification 
mechanisms, I don't see the need for the last bulleted list.

Regards,
Brian

v2.23.0 | Report a Bug | By Email