Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns
Martin Stiemerling <stiemerling@netlab.nec.de> Thu, 11 May 2006 13:38 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FeBMe-00087U-Ij; Thu, 11 May 2006 09:38:00 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FeBMe-00087O-14 for nsis@ietf.org; Thu, 11 May 2006 09:38:00 -0400
Received: from kyoto.netlab.nec.de ([195.37.70.21]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FeBMc-00026h-V6 for nsis@ietf.org; Thu, 11 May 2006 09:37:59 -0400
Received: from [10.1.1.109] (mito.netlab.nec.de [195.37.70.39]) by kyoto.netlab.nec.de (Postfix) with ESMTP id 743CB1BAC4D; Thu, 11 May 2006 15:30:56 +0200 (CEST)
In-Reply-To: <37901.24.199.92.165.1147285957.squirrel@mail.piranho.net>
References: <A632AD91CF90F24A87C42F6B96ADE5C57EBF28@rsys005a.comm.ad.roke.co.uk> <37901.24.199.92.165.1147285957.squirrel@mail.piranho.net>
Mime-Version: 1.0 (Apple Message framework v749.3)
X-Priority: 3
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <21A356F7-E84A-4131-AEE0-7872E21D4CAB@netlab.nec.de>
Content-Transfer-Encoding: 7bit
From: Martin Stiemerling <stiemerling@netlab.nec.de>
Subject: Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns
Date: Thu, 11 May 2006 15:37:55 +0200
To: Henning Peters <hpeters@math.uni-goettingen.de>
X-Mailer: Apple Mail (2.749.3)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 43ca87c8fcef5d9f6e966e1c3917103e
Cc: nsis@ietf.org, "Hancock, Robert" <robert.hancock@roke.co.uk>
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Errors-To: nsis-bounces@ietf.org
Hi Henning, Am 10.05.2006 um 20:32 schrieb Henning Peters: > Hi Robert, > > good summary. Though, I am missing one point: > > In a hierarchical NAT scenario, is it sufficient only talk to the > edge to > make a reservation? An example: > > A:NI --[ B:NF(NAT) --[ C:NF(NAT) --- D:NR > 1) <=========================REA > 2) RESPONSE====================> > 3) CREATE====> ============> X =========> X...marks the problem > loc. > 4) <========== <============= <==RESPONSE > > Assumption: In this scenario I assume that a REA(1) message with LE- > MRM > does only talk to the edge and traverses C seemlessly. C may trigger a > reservation, read the flow, but will not change any data of the > message > exchange between B and D. Does this imply C:NF(NAT) being NATFW NSLP unaware or do you say C:NF(NAT) is NATFW NSLP aware but does not care about the message? The picture does not show the NATFW NSLP operation if C:NF(NAT) is NATFW NSLP aware. Can you clarify this? Otherwise the answer to this email is going full of ifs. Thanks, Martin > > For an upcoming CREATE(3) message from A it seems to be necessary > for B to > previously store the IP address of the C during REA(1) operation, > because > B has to map between different session IDs based upon the external > port > reservations. It also has to know the external port reservation of C. > > Thus, in respect to NAT behavior, B has to translate the IP and TCP/ > UDP > layer and update MRI accordingly to match the new destination > address/port. But: how does B know about a valid destination port > at C? > > In my view all NAT have to do a mapping unrelated to session ID, > but on IP > address and port, because REA and CREATE messages are different > sessions. > Thus, they need a mechanism to signal their external port > reservation to > the upstream NAT, this is not possible without modifying the exchange > between B and D. Thus my previously made assumption is wrong. > > Hence, I asked Martin to give me a port field, it was introduced in > last > fall. The whole issue is complicated, so I am not 100% sure whether I > might not miss a point. If I might be right, then I have following > concern: > > LE-MRM is not only about "talking to the edge". Therefore, I find it > sensible to put the port into LE-MRM. Please keep in mind that I > might be > biased, because I want to keep my codebase small ;). > > Currently the port resides in DTINFO object. So, if signaled with > LE-MRM > one has to use this field, when using PC-MRM one has to use MRI port > although the port is here needed for the same purpose: giving the > upstream > NAT information about the local NATs port reservation. Sure, in PC-MRM > this information is overloaded the same way as NAT is already > overloading > identifiers. > > Henning > > > Hancock, Robert sagte Mi, 10.05.2006, 04:59: >> hi all, >> >> i'm still trying to get my head round sections 3.8.2 and 3.8.7 of >> the spec (which i think is what most of the thread below is about). >> >> however, i do have a specific comment about the applicability of the >> LE-MRM and PC-MRM for various types of scenario. i'll say in advance >> that i'm not 100% certain that the LE-MRM definition is right; >> however, the discussion below is not persuading me that it is wrong. >> i'll try to explain why: >> >> from a GIST perspective, the purpose of the LE-MRM is to allow an >> NSLP at an end host to talk to the 'edge' of the network and to >> get signalling messages back. from that point of view, no port >> numbers >> are needed at the GIST level, because there are no port numbers >> associated >> with the concept 'edge of the network'. routing state can be quite >> happily created at NATs along the path [how? see below] and GIST >> messages can be sent backwards and forwards as the NSLP requires. >> >> it turns out that the NATFW NSLP may need a port number for NATFW >> purposes; specifically, that the external address that gets allocated >> may actually be a {address, port} pair, if the NAT is doing address >> sharing [if i understand it right ...]. However, in this particular >> case, it's vital that the {address, port} information is *not* >> carried >> at the GIST level, since it's vital that these are *not* translated >> on the way back to the end host - the end-host wants these unmodified >> so it can advertise them in the public network. so {address, port} >> have >> to be carried at the NSLP level (where other funny processing also >> takes place on them). >> >> the question then arises whether other NSLPs might want to use the >> LE-MRM and might need to have port numbers translated for them if >> the signalling path went through a NAT. I can't assess that either >> way at the moment; however, I can say that the QoS-NSLP is not a >> valid example. if the QoS-NSLP wants to use some sort of proxy mode, >> then it should use the upstream PC-MRM, not the LE-MRM. this is >> because the QoS-NSLP talks about flows, not about network edges. >> if the QoS-NSLP wanted to manage QoS for something which wasn't a >> flow but which was bound to a network edge for some reason, then the >> LE-MRM might be appropriate - but then there would be no port numbers >> involved anyway. and i think that the same line of reasoning would >> be applied to other NSLPs also. >> >> there remains the question of how GIST gets LE-MRM-routed traffic >> through a NAT. i think there are two cases here: >> *) if the NAT hosts the NSLP in question, it is a non-issue. the >> signalling traffic is presented to GIST by the NSLP separately >> on each interface, and the NSLP is responsible for choosing the >> MRI/SID/NSLP to pick out the routing state towards the right peer. >> >> *) if the NAT does not host the NSLP in question, GIST has to do >> MRI/NLI/SCD re-writing to get the Query/Response messages backwards >> and forwards correctly. no GIST routing state gets established, but >> NAT bindings need to be established for the signalling traffic >> itself. but I don't see this requiring access to information that >> might be carried in the NSLP; the NAT can use the SID or the UDP >> source port from the Query as keys for its binding table; the >> former we assume to be unique and the latter can be rewritten. >> >> summary: at the moment, I think that the LE-MRM is ok. However, it's >> a subtle subject and it's possible that I haven't understood all the >> concerns. I'm also not certain at the moment that the way the NATFW >> NSLP does things like proxy REA are correct - still thinking ... >> >> >> cheers, >> >> r. >> >>> -----Original Message----- >>> From: Martin Stiemerling [mailto:stiemerling@netlab.nec.de] >>> Sent: 08 May 2006 16:01 >>> To: Henning Peters >>> Cc: nsis@ietf.org >>> Subject: Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns >>> >>> >>> Hi Henning, >>> >>> >>> Am 21.04.2006 um 22:06 schrieb Henning Peters: >>> >>>> Dear WG, dear NAT/Firewall NSLP authors, >>>> >>>> NAT/Firewall NSLP is a quite stable and usable protocol. There is >>>> running >>>> code already available that covers broad aspects of its >>> functionality. >>>> This proves at least that from an complexity and functional >>>> viewpoint it >>> >>> Good to hear that! >>> >>>> can be considered feasible. Still, I find that some parts of the >>>> spec can >>>> be improved. Here, I would like to present my concerns connected to >>>> LE-MRM/DTINFO that I developed during working on our >>>> implementation. >> >>> >>> Comments and suggestions are always welcome. >>> >>>> >>>> shortcut: the questions related to WG discussion are at 4). >>>> >>>> 1) Confusing directions >>>> >>>> Most notable, the directions are a bit confusing in this object. >>>> src port >>>> is data sender (DS) port, dst port is data receiver (DR) port. DR >>>> port is >>>> subject of rewrite, whereas DS port specifies the data >>> sender. I would >>>> appreciate avoiding the term source and destination in this >>>> context, this >>>> would also leverage the positioning issue (see later *** when >>>> discussing >>>> the message format that confusely destination port is positioned >>>> before >>>> source port). >>> >>> While the naming is technically correct, I have to admit that it is >>> confusing. >>> So, I would suggest to change the names directly to what you have >>> proposed: 'src port' -> 'DS port' and 'dst port' -> 'DR port'. This >>> is then >>> inline with the naming of 'data sender's IP address' in the >>> same object. >>> >>>> >>>> Anyway, I will refer to DS port and DR port in the following. >>>> >>>> 2) LE-MRM / DTINFO ports >>>> >>>> After introduction of LE-MRM (loose end message routing >>> method) to the >>>> spec last year it was found that NAT traversal in NAPTs is >>>> broken as >> >>>> LE-MRM does not carry port information. Ports are >>> considered as not >>>> part >>>> of GIST routing and therefore omitted from MRI. >>> >>> There are two things to differentiate: NAPT support is not >>> broken in the >>> NATFW NSLP and whether NAPT traversal of GIST is broken when using >>> LE-MRM is a different story that depends on the view point. >>> >>> My concern here is about why we need a GIST/LE-MRM NAPT traversal >>> mechanism? When there is a NAT on your side of the network that is >>> not NATFW NSLP enabled you anyway need to fall back to all the >>> other workarounds, such as STUN, TURN, or other tricks. >>> >>> >>>> >>>> To compensate this DTINFO object was enhanced later with the port >>>> information that was previously accessable in PC-MRM >>> (signaling the >>>> wrong >>>> way) MRI. I believe that the current approach is not a good design >>> >>> There is non compensation needed, because GIST carries all >>> information >> >>> necessary for the message routing and the DTINFO object carries >>> information about the later expected data flow. That are >>> basically two >> >>> different things: The message routing information and the expected >>> data flow. >>> >>>> decision as GIST NAT traversal would be rendered broken. GIST NAT >>>> traversal is crucial as we cannot assume a domainwide deployment of >>>> NAT/Firewall NSLP instantly. I would appreciate a >>> deployable over a >>>> 100% >>>> clean solution as deployment will be very crucial to >>> NAT/Firewall NSLP >>>> success anyway. >>> >>> I do not see the applicability given for the GIST with LE-MRM and >>> NAT >>> traversal. I probably need a good example why it is needed. >>> >>>> >>>> See Martin's and my discussion in the issue tracker: >>>> https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/issue50 >>>> >>>> Actually, only the DR port and protocol field is needed for NAT >>>> traversal >>>> as REA/LE-MRM needs only a one-sided translation. >>>> >>>> 3) DTINFO message format >>>> >>>> The message format of the current solution is a bit confusing and >>>> lacks >>>> IPv6 support (DTINFOv6 object was removed in previous draft). Let >>>> me start >>>> with its figure: >>> >>> The DTINFO_IPV6 object has been removed since there is no IPv6 NAT >>> and the usage of NAT-PT seems to be deprecated. >>> >>>> >>>> >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>> |I|P|S| reserved | dest prefix | >>> protocol | >>>> >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>> (***): dst port number [DR] | src port number >>> [DS] : >>>> >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>> : IPsec SPI >>> : >>>> >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>> | data sender's IPv4 address >>> | >>>> >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>> >>>> The purpose of this object is two-fold: >>>> >>>> - specify data sender during REA (aka: the cone-ness of the NAT) >>>> >>>> - supply DR port/protocol for NAT traversal >>>> >>>> Unfortunately, the draft heavily mixes and overloads these two >>>> different >>>> semantical aspects in this object. Specifically, I see following >>>> issues: >>>> >>>> a) The P flag specifies whether port numbers are present or >>> not. This >>>> means that either both ports are present or none. Confusely, DR >>>> port and >>>> DS port cover different semantic aspects: >>>> >>>> DS port specifies the data sender, DR port is necessary for NAT >>>> traversal. >>>> A single flag to enable/disable two fields with different >>>> semantical >> >>>> meaning can be problematic. >>> >>> I makes sense to either enable usage of ports or not. >>> However, if ports >>> are enabled you still can wildcard the DS port. This makes some >>> sense >>> from the point of whether your policy rule to be installed in >>> the device >>> covers port numbers or not. >>> >>>> >>>> b) The I flag specifies whether the protocol field should be >>>> interpreted >>>> or not. The protocol defines the protocol used for above mentioned >>>> ports >>>> if the P flag is set aswell. Although the ports are of different >>>> semantical meaning, the protocol covers both equally. >>>> >>>> I am not sure whether this semantical overloading may introduce new >>>> problems, at least this limits flexibility compared to PC-MRM case >>>> where a >>>> protocol can be set in MRI and in DTINFO independently. >>> >>> DTINFO and PC-MRM cannot be used at the same time. *BUT* this is >>> not specified in the draft :-) >>> I will fix this. >>> >>>> >>>> c) DTINFO object might be used for firewall signaling scenarios. >>>> But >> >>>> LE-MRM can only cover NAT-only scenarios. That means that the NR >>>> has to >>>> know the scenario in advance to choose between PC-MRM and LE-MRM >>>> signaling. The more intelligence is put into NR the more it >>> evolves >>>> to a >>>> probing NR. >>> >>> Right, NR needs to choose carefully in what scenario it is. But the >>> DTINFO object >>> is not useful in firewall only scenarios, since those messages are >>> anyway >>> carried using the PC-MRM. >>> >>>> >>>> A probing NR sounds to me a bit like the situations BEHAVE working >>>> group >>>> deal with; this is not the situation I would like to see NAT/ >>>> Firewall NSLP >>>> in. I think that our network states can be used more flexibly to >>>> assist >>>> the NR better. The NR should not care about the network, but only >>>> give the >>>> definitions that the network should adapt to. >>> >>> I would prefer a different way of deciding whether the NR is >>> NATed or >>> firewalled only. However, until now there has been now good proposal >>> how to avoid this. Suggestions are welcome. >>> >>>> >>>> Surely, this is a design decision that needs WG consensus. >>>> >>>> d) DTINFO object MUST be included when using LE-MRM as NAT >>>> traversal is >>>> not possible as long as DR port is not available. >>> Therefore, following >>>> paragraphs might need correction: >>>> >>>>> The NI+ MAY include a NATFW_DTINFO_IPv4 object in the REA message >>>>> when using the LE-MRM. The LE-MRM does not include enough >>>> >>>> also: >>>> >>>>> When the data sender's address information is known in >>> advance the >>>>> NI+ >>>>> MAY include a NATFW_DTINFO_IPv4 object in the REA message (as >>>>> described >>>>> above). >>> >>> Already noted this. >>> >>>> >>>> 4) I hope I pointed out that a discussion of following points in >>>> the WG is >>>> necessary: >>>> >>>> - How much intelligence should have the NR -> shall the network >>>> handle the >>>> deployment sceario or should the NR know/probe the network >>>> scenario? >> >>> >>> As said, I'm open for suggestions! >>> >>>> >>>> - Is a broken GIST NAT traversal worth giving up a 100% clean MRM >>>> design? >>> >>> I still lack the real usage scenario for GIST with LE-MRM NAT >>> traversal. >>> >>>> >>>> The message format issues heavily depend on these discussions, >>>> therefore I >>>> would rather like to delay the message format design until both >>>> questions >>>> gained consensus. >>>> >>>> I also appreciate any feedback on our NAT/Firewall NSLP >>> implementation >>>> available at: >>>> >>>> http://user.informatik.uni-goettingen.de/~nsis/ >>> >>> I hope to get some time for checking this out. >>> >>>> >>>> Thank you for your attention, >>> >>> Thanks a lot for the comments! >>> >>>> Henning Peters >>>> >>>> >>>> _______________________________________________ >>>> nsis mailing list >>>> nsis@ietf.org >>>> https://www1.ietf.org/mailman/listinfo/nsis >>> >>> >>> _______________________________________________ >>> nsis mailing list >>> nsis@ietf.org >>> https://www1.ietf.org/mailman/listinfo/nsis >>> >> >> > > > > > _______________________________________________ > nsis mailing list > nsis@ietf.org > https://www1.ietf.org/mailman/listinfo/nsis _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Hannes Tschofenig
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Hancock, Robert
- RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling