IETF Logo Mail Archive

Re: [Int-area] AD evaluation: draft-ietf-intarea-nat-reveal-analysis

Brian Haberman <brian@innovationslab.net> Wed, 13 February 2013 15:04 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B218C21F87BB for <int-area@ietfa.amsl.com>; Wed, 13 Feb 2013 07:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.568
X-Spam-Level:
X-Spam-Status: No, score=-102.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPHBJBLupXqe for <int-area@ietfa.amsl.com>; Wed, 13 Feb 2013 07:04:47 -0800 (PST)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) by ietfa.amsl.com (Postfix) with ESMTP id 469EF21F87BA for <int-area@ietf.org>; Wed, 13 Feb 2013 07:04:47 -0800 (PST)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 3EE0688130; Wed, 13 Feb 2013 07:04:47 -0800 (PST)
Received: from 102526165.rudm1.ra.johnshopkins.edu (addr16212925014.ippl.jhmi.edu [162.129.250.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id DBB4813000C; Wed, 13 Feb 2013 07:04:46 -0800 (PST)
Message-ID: <511BAB90.2020300@innovationslab.net>
Date: Wed, 13 Feb 2013 10:04:48 -0500
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
References: <51195E93.4090103@innovationslab.net> <51198814.1060809@ericsson.com> <51199062.4080505@innovationslab.net> <511B2FC0.1060209@ericsson.com>
In-Reply-To: <511B2FC0.1060209@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-intarea-nat-reveal-analysis@tools.ietf.org, int-area@ietf.org
Subject: Re: [Int-area] AD evaluation: draft-ietf-intarea-nat-reveal-analysis
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 15:04:47 -0000

On 2/13/13 1:16 AM, Suresh Krishnan wrote:
> Hi Brian,
>
> On 02/11/2013 07:44 PM, Brian Haberman wrote:
>> Hi Suresh,
>>
>> On 2/11/13 7:08 PM, Suresh Krishnan wrote:
>>> Hi Brian,
>>>     Thanks for the review. I wanted to clarify three points that you
>>> raised and I will ask the authors take care of the rest.
>>>
>>> On 02/11/2013 04:11 PM, Brian Haberman wrote:
>>>> 7. In Section 4.1.2, it would be good to describe any issues that the
>>>> approach has with the original use of the Identification field for
>>>> fragmentation reassembly.  If a middlebox changes the ID field, weird
>>>> things can/will happen if those packets are fragmented somewhere.
>>>
>>> Agree. I think this is precisely the reason that the mechanism for
>>> putting the HOST_ID in the IP-ID is a non-starter.
>>
>> I agree.  But that rationale should be in the draft.
>
> Ack. Med proposed a reference to RFC6864 Section 5.3. Is that sufficient?
>

That reference should be fine.

>>
>>>
>>>> 11. Is Section 4.6 theoretical or is there a specific reference that can
>>>> be added for this technique?
>>>
>>> There are several mechanisms that use port sets for IPv4 address
>>> sharing. A+P (RFC6346) is one such mechanism.
>>
>> Then I would ask that a reference be put in to give readers an example.
>
> OK.
>
>>
>>>
>>>> 15. Section 5
>>>>
>>>> * Shouldn't there be an additional metric that covers the impact/cost of
>>>> needing client or middlebox code changes?
>>>>
>>>> * Where did the 100% success ratio for IP-ID come from?  There have been
>>>> documented cases of OSes setting the Identification field to zero.  If
>>>> that is true, the success ratio can't be 100% can it?
>>>
>>> This technique involves the translator (and not the sender) setting the
>>> IP-ID field. That is why it can still work with OSes on senders setting
>>> the IP-ID to zero.
>>
>> You still have the issue of the middlebox setting that ID to something
>> that potentially impacts fragmentation reassembly.  So, I would still
>> like to know how that 100% success ratio was collected.
>
> Makes sense. I read the test result % to mean successful connection
> establishment and identification. Med, can you elaborate a bit on what
> exactly was tested and what the success % means.
>
> Thanks
> Suresh
>

v2.23.0 | Report a Bug | By Email