IETF Logo Mail Archive

Re: [lisp] LISP NAT Traversal [Was: Virtual meeting]

Dino Farinacci <farinacci@gmail.com> Wed, 01 April 2020 21:23 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A28AC3A09F7 for <lisp@ietfa.amsl.com>; Wed, 1 Apr 2020 14:23:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAINfs3-_xT1 for <lisp@ietfa.amsl.com>; Wed, 1 Apr 2020 14:23:41 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A45303A09F6 for <lisp@ietf.org>; Wed, 1 Apr 2020 14:23:41 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id h11so489257plk.7 for <lisp@ietf.org>; Wed, 01 Apr 2020 14:23:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4c3htN1QJnKreFiXl63TXs4vvafHNkiHT5yULqIT9/8=; b=QumoIZAynxft27KQQvDt2mXZVie3BuQ5E3ngpR2gy9cwxvFP3ZV7hW2Cfn4nq8nixr 1ctoI0hYNWJUY/HrHaYTul60GZJDABsK8JobxubfOFqPpuTahpHkeuIKdFYjQQ+mLhu7 qAJ2O+j7sPjuTqmptGM/063b7kYSWnuzC3DWRWsw482j2SeTsYf9gYdpxaaIMkYLgimn F0/IO70RD55KCLi0fvSJi2OBY6UdslUkUWSP/i+K5KhjFRLJEjrZTaBpSLfwawSdg+uU 56Tn6EflEtT4jDr3gNFl4Wp/NvV0jOpvbGLfRhoxiWr6b2P+fHnpqipp79zKNK67DUfK 8/Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4c3htN1QJnKreFiXl63TXs4vvafHNkiHT5yULqIT9/8=; b=VB84hwxBNqtHmBP58g4jy1c3Vw/a8dMBb1YAV//Z8sa5SnyyJwwRZ5jzXox7g6cTda 9iK5a3/+0IUwGviU1bj+P5kOBqcVJgUpBQc5PIavaEhGHwS53sGc+p4MZP7cA2im7eko rOWDIyK4+U8xMq4qPeeqANy/tEikhiNcjgwghtS0louLJgbnVJ0Ebk1L0PhDqyQ1QuUq 94W1iXoKcjV+/lZSKcGr5CuYQ31f2gnOor7JLeYYwz3p1tcyADJJpjDtlrVL9ntxs4N2 Sy5plhSBXQi0+6ipafsrYFhi0tMOtCrNFCNwRfCloa89aXYRERIW0VaSMxVla1LbgoWB 9SSA==
X-Gm-Message-State: AGi0PuY1qQP/dTsJAuj2D+VXIbGWIcjVTjWQnCwNg5gminy5hxwhy9bO WfV1D6ua1k/lgF5AlFUW0FKdp2PpziU=
X-Google-Smtp-Source: APiQypLxprPhlIlL3QRfkOG4oW7V9oyqv8slMwu0zwfeL2GYbYAXaTnu8ghGwV7u0MXzoUDsbjtFEQ==
X-Received: by 2002:a17:90a:26e3:: with SMTP id m90mr130582pje.144.1585776220749; Wed, 01 Apr 2020 14:23:40 -0700 (PDT)
Received: from ?IPv6:2601:646:9600:af10:a88c:163b:7b89:c8fb? ([2601:646:9600:af10:a88c:163b:7b89:c8fb]) by smtp.gmail.com with ESMTPSA id l7sm2254955pfl.171.2020.04.01.14.23.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Apr 2020 14:23:39 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <751753ef-4b49-2a7d-8538-ac58773ade81@ac.upc.edu>
Date: Wed, 01 Apr 2020 14:23:38 -0700
Cc: lisp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <54A91658-40E5-446A-A57D-8D60078EEC6F@gmail.com>
References: <55b348e3-66c3-0e5c-8028-446a3afa4249@ac.upc.edu> <8C01E061-9B4A-4C99-8BE6-1151B1BCB155@gmail.com> <14dbe527-85db-5cc3-e2de-039b6216e89f@ac.upc.edu> <9FD16389-6CA4-49B9-BC47-8DA13BF377E2@gmail.com> <751753ef-4b49-2a7d-8538-ac58773ade81@ac.upc.edu>
To: Albert Lopez <alopez@ac.upc.edu>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/FdSSsswJyuWfUXOyyEJTW7fCmXE>
Subject: Re: [lisp] LISP NAT Traversal [Was: Virtual meeting]
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 21:23:44 -0000

Pruning some texts. Answers to your questions inline.

> On Apr 1, 2020, at 2:28 AM, Albert López <alopez@ac.upc.edu> wrote:
> 
>> When the remote ETR isn’t behind NAT, the RTR can reach it directly but so can the ITR. 
> You say " That causes the non-NAT ITR and the remote RTR to do mapping lookup to get the global/non-translated RLOC" but who sends them an SMR to update the mapping? ETR can not do it because he doesn't have their entries in the cache. 

The 3 mechanisms I mentioned in previous email. SMRs (both control or data-driven), Map-Notify with pubsub from Map-Server, or map-cache TTL management.

>>>> What I was referring with this question is , If we are behind NAT using an RTR as a default gateway and then we handover to an IPv6 connection (at that point we are not considering the publish/subscribe solution), If we don't want to lose established connections, xTR has to notify the RTR (SMR) of the change of the mapping. To notify it, 
>> 
>> Yes. But now I’m not clear if you the “IPv6 connection” is referring to an IPv6 EID or RLOC. Please clarify.
> I am referring to IPv6 RLOCs

Then you don’t need NAT-traversal.

>> 
>>> the RTR should have an IPv6 RLOC that should be included in the list of RTRs of the Info Reply message.  Depending on what the RTR does with the SMR,  remote ITRs could move stablished connections to direct path or continue using the RTR.
>> 
>> If IPv6 is an RLOC, it is assumed anyone can reach it and a site xTR need not encap packets to an RTR. RTRs for NAT-traversal are used only for IPv4 RLOCs, regardless if the EID is IPv4 or IPv6.
> If we want to maintain established connections, when we handover from NAT to IPv6 RLOC, we need to notify the change of mapping. If we use SMR procedure, our only entry is the RTR, so if it doesn't have an IPv6 RLOC, we can not SMR it and the xTR will loose the already established connections. 

This is true. That is why you use an RTR for NAT-traversal only for IPv4 RLOCs.

>> 
>> Note, that SMRs will cause a flurry of messages depending on how aggressive the ETR wants the ITRs sending to it to be updated. And requires queuing demands on the ETR for reliable delivery. Hence why data-driven SMRs were introduced in implementations. But that only happens for EID-mobility (EID is not co-located with RLOC) and not in LISP-MN (where EID and RLOC are co-located).
> From my point of view a TTL of 3-5 seconds is also quite aggressive from the perspective of the Map Server that receive the queries (probably will have several MN registered to it). May be, a good point would be to evaluate all the pros and cons of each mechanism and recommend to use one for each case. In any case, I believe that we need to specify what is the behaviour of an RTR when receiving an SMR.

It depends where your mobility domain is. And how fast the requirements are to change mappings. We have 3 mechanisms and they all have their disadvantages.

>>>>> 
>>>> It needs to be reachable RLOCs. And in the lispers.net implementation, an xTR behind a NAT registers it’s translated RLOC and the RTR RLOCs. That is so the remote RTR can use the translated RLOC (and the translated port it learns from Info-Requests) and remote ITRs to use the RTR’s RLOC (since that RTR is the only node that can get packets through the NAT).
>>> I don’t have the full details of the lispers implementation of NAT-Traversal solution. Is any document describing it?.
>> 
>> I don’t have something written up but I do have slides that show protocol flow. See at the end of this email. It can all be explained in one slide. ;-)
> The Info Request message contain authentication section, is the key shared between MS,xTR and RTRs?

I don’t use authentication for Info-Request and Info-Replies. Otherwise, you need a security association with the RTR that can change quickly. You don’t want to provision keys between xTRs and RTRs but since xTR to MS is more of a provision based admission control to the control-plane system, it is acceptable and necessary there.

>> 
>>> My concern here is regarding section 5.1.2 of the draft (Map-Request and Map-Reply handling). When we sent an Encap Map-Request to get a mapping, we add a list of iTR addresses to receive the Map-Reply. We can add here the global address of the xTR but if the NAT has not been previously punched, we will not receive never a Map-Reply, at least for symetrics NATs.
>> 
>> You MUST put public-RLOCs in the mapping and the only node that can do that is the ETR. And it discovers its public-RLOC but receiving a Info-Reply from the MS that echos the outer source address and source UDP port from the Info-Request message. The message that the NAT translated the source address and source port.
> May be I am wrong but the scenario of open the NAT with the Info-Request Info-Reply messages is only valid for a scenario with a single MS where all EIDs are registered with proxy mode. If the reply of the Map-Request comes form other MS or remote ETR, then we don't have a hold in the NAT and the Map-Reply  message will not be received.

No, not true. My implementation allows an ETR to send Info-Requests to 2 map-servers and assumes/requires that the RTR-list configured on each map-server is the same.

Yes, and proxy mode is required because in my implementation, the map-server returns ETR public-RLOCs to requesting RTRs and RTR RLOCs to requesting ITRs. Plus the map-server can’t send packets to destination port 4342 through the NAT. But this part is solvable. Just not documented or implemented.

>> Also note, there is a requirement for an xTR to have two interfaces, each connected to different NATs. And load-splitting is required across the two intefaces (inbound)
> I think that the draft already contemplate this scenario, at least when both interfaces use the same RTR despite using different NATs. If they are using different RTRs, both RTR's RLOCs will be included in the mapping, then is the ITR the responsible to split the traffic between RLOCs. Does it cover your scenario?

Yes, and it also supports two xTRs behind the same NAT to know the fact so they can encapsulate each other via private-RLOCs. I call this short-cut NAT-traversal in my implementation.

Cheers,
Dino

v2.23.0 | Report a Bug | By Email