RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns
"Henning Peters" <hpeters@math.uni-goettingen.de> Wed, 10 May 2006 18:32 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FdtUQ-0002r1-EU; Wed, 10 May 2006 14:32:50 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FdtUP-0002qw-AM for nsis@ietf.org; Wed, 10 May 2006 14:32:49 -0400
Received: from mail.piranho.net ([80.190.191.60]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1FdtUL-0002lv-6g for nsis@ietf.org; Wed, 10 May 2006 14:32:49 -0400
Received: (qmail 22883 invoked from network); 10 May 2006 18:32:37 -0000
Received: from localhost (HELO mail.piranho.net) (127.0.0.1) by 0 with SMTP; 10 May 2006 18:32:37 -0000
Received: from 24.199.92.165 (SquirrelMail authenticated user zedsoy) by mail.piranho.net with HTTP; Wed, 10 May 2006 14:32:37 -0400 (EDT)
Message-ID: <37901.24.199.92.165.1147285957.squirrel@mail.piranho.net>
In-Reply-To: <A632AD91CF90F24A87C42F6B96ADE5C57EBF28@rsys005a.comm.ad.roke.co.uk>
References: <A632AD91CF90F24A87C42F6B96ADE5C57EBF28@rsys005a.comm.ad.roke.co.uk>
Date: Wed, 10 May 2006 14:32:37 -0400
Subject: RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns
From: Henning Peters <hpeters@math.uni-goettingen.de>
To: nsis@ietf.org
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 94962611154c8404498b19f744990308
Cc: "Hancock, Robert" <robert.hancock@roke.co.uk>
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Errors-To: nsis-bounces@ietf.org
Hi Robert, good summary. Though, I am missing one point: In a hierarchical NAT scenario, is it sufficient only talk to the edge to make a reservation? An example: A:NI --[ B:NF(NAT) --[ C:NF(NAT) --- D:NR 1) <=========================REA 2) RESPONSE====================> 3) CREATE====> ============> X =========> X...marks the problem loc. 4) <========== <============= <==RESPONSE Assumption: In this scenario I assume that a REA(1) message with LE-MRM does only talk to the edge and traverses C seemlessly. C may trigger a reservation, read the flow, but will not change any data of the message exchange between B and D. For an upcoming CREATE(3) message from A it seems to be necessary for B to previously store the IP address of the C during REA(1) operation, because B has to map between different session IDs based upon the external port reservations. It also has to know the external port reservation of C. Thus, in respect to NAT behavior, B has to translate the IP and TCP/UDP layer and update MRI accordingly to match the new destination address/port. But: how does B know about a valid destination port at C? In my view all NAT have to do a mapping unrelated to session ID, but on IP address and port, because REA and CREATE messages are different sessions. Thus, they need a mechanism to signal their external port reservation to the upstream NAT, this is not possible without modifying the exchange between B and D. Thus my previously made assumption is wrong. Hence, I asked Martin to give me a port field, it was introduced in last fall. The whole issue is complicated, so I am not 100% sure whether I might not miss a point. If I might be right, then I have following concern: LE-MRM is not only about "talking to the edge". Therefore, I find it sensible to put the port into LE-MRM. Please keep in mind that I might be biased, because I want to keep my codebase small ;). Currently the port resides in DTINFO object. So, if signaled with LE-MRM one has to use this field, when using PC-MRM one has to use MRI port although the port is here needed for the same purpose: giving the upstream NAT information about the local NATs port reservation. Sure, in PC-MRM this information is overloaded the same way as NAT is already overloading identifiers. Henning Hancock, Robert sagte Mi, 10.05.2006, 04:59: > hi all, > > i'm still trying to get my head round sections 3.8.2 and 3.8.7 of > the spec (which i think is what most of the thread below is about). > > however, i do have a specific comment about the applicability of the > LE-MRM and PC-MRM for various types of scenario. i'll say in advance > that i'm not 100% certain that the LE-MRM definition is right; > however, the discussion below is not persuading me that it is wrong. > i'll try to explain why: > > from a GIST perspective, the purpose of the LE-MRM is to allow an > NSLP at an end host to talk to the 'edge' of the network and to > get signalling messages back. from that point of view, no port numbers > are needed at the GIST level, because there are no port numbers > associated > with the concept 'edge of the network'. routing state can be quite > happily created at NATs along the path [how? see below] and GIST > messages can be sent backwards and forwards as the NSLP requires. > > it turns out that the NATFW NSLP may need a port number for NATFW > purposes; specifically, that the external address that gets allocated > may actually be a {address, port} pair, if the NAT is doing address > sharing [if i understand it right ...]. However, in this particular > case, it's vital that the {address, port} information is *not* carried > at the GIST level, since it's vital that these are *not* translated > on the way back to the end host - the end-host wants these unmodified > so it can advertise them in the public network. so {address, port} have > to be carried at the NSLP level (where other funny processing also > takes place on them). > > the question then arises whether other NSLPs might want to use the > LE-MRM and might need to have port numbers translated for them if > the signalling path went through a NAT. I can't assess that either > way at the moment; however, I can say that the QoS-NSLP is not a > valid example. if the QoS-NSLP wants to use some sort of proxy mode, > then it should use the upstream PC-MRM, not the LE-MRM. this is > because the QoS-NSLP talks about flows, not about network edges. > if the QoS-NSLP wanted to manage QoS for something which wasn't a > flow but which was bound to a network edge for some reason, then the > LE-MRM might be appropriate - but then there would be no port numbers > involved anyway. and i think that the same line of reasoning would > be applied to other NSLPs also. > > there remains the question of how GIST gets LE-MRM-routed traffic > through a NAT. i think there are two cases here: > *) if the NAT hosts the NSLP in question, it is a non-issue. the > signalling traffic is presented to GIST by the NSLP separately > on each interface, and the NSLP is responsible for choosing the > MRI/SID/NSLP to pick out the routing state towards the right peer. > > *) if the NAT does not host the NSLP in question, GIST has to do > MRI/NLI/SCD re-writing to get the Query/Response messages backwards > and forwards correctly. no GIST routing state gets established, but > NAT bindings need to be established for the signalling traffic > itself. but I don't see this requiring access to information that > might be carried in the NSLP; the NAT can use the SID or the UDP > source port from the Query as keys for its binding table; the > former we assume to be unique and the latter can be rewritten. > > summary: at the moment, I think that the LE-MRM is ok. However, it's > a subtle subject and it's possible that I haven't understood all the > concerns. I'm also not certain at the moment that the way the NATFW > NSLP does things like proxy REA are correct - still thinking ... > > > cheers, > > r. > >> -----Original Message----- >> From: Martin Stiemerling [mailto:stiemerling@netlab.nec.de] >> Sent: 08 May 2006 16:01 >> To: Henning Peters >> Cc: nsis@ietf.org >> Subject: Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns >> >> >> Hi Henning, >> >> >> Am 21.04.2006 um 22:06 schrieb Henning Peters: >> >> > Dear WG, dear NAT/Firewall NSLP authors, >> > >> > NAT/Firewall NSLP is a quite stable and usable protocol. There is >> > running >> > code already available that covers broad aspects of its >> functionality. >> > This proves at least that from an complexity and functional >> > viewpoint it >> >> Good to hear that! >> >> > can be considered feasible. Still, I find that some parts of the >> > spec can >> > be improved. Here, I would like to present my concerns connected to >> > LE-MRM/DTINFO that I developed during working on our implementation. > >> >> Comments and suggestions are always welcome. >> >> > >> > shortcut: the questions related to WG discussion are at 4). >> > >> > 1) Confusing directions >> > >> > Most notable, the directions are a bit confusing in this object. >> > src port >> > is data sender (DS) port, dst port is data receiver (DR) port. DR >> > port is >> > subject of rewrite, whereas DS port specifies the data >> sender. I would >> > appreciate avoiding the term source and destination in this >> > context, this >> > would also leverage the positioning issue (see later *** when >> > discussing >> > the message format that confusely destination port is positioned >> > before >> > source port). >> >> While the naming is technically correct, I have to admit that it is >> confusing. >> So, I would suggest to change the names directly to what you have >> proposed: 'src port' -> 'DS port' and 'dst port' -> 'DR port'. This >> is then >> inline with the naming of 'data sender's IP address' in the >> same object. >> >> > >> > Anyway, I will refer to DS port and DR port in the following. >> > >> > 2) LE-MRM / DTINFO ports >> > >> > After introduction of LE-MRM (loose end message routing >> method) to the >> > spec last year it was found that NAT traversal in NAPTs is broken as > >> > LE-MRM does not carry port information. Ports are >> considered as not >> > part >> > of GIST routing and therefore omitted from MRI. >> >> There are two things to differentiate: NAPT support is not >> broken in the >> NATFW NSLP and whether NAPT traversal of GIST is broken when using >> LE-MRM is a different story that depends on the view point. >> >> My concern here is about why we need a GIST/LE-MRM NAPT traversal >> mechanism? When there is a NAT on your side of the network that is >> not NATFW NSLP enabled you anyway need to fall back to all the >> other workarounds, such as STUN, TURN, or other tricks. >> >> >> > >> > To compensate this DTINFO object was enhanced later with the port >> > information that was previously accessable in PC-MRM >> (signaling the >> > wrong >> > way) MRI. I believe that the current approach is not a good design >> >> There is non compensation needed, because GIST carries all information > >> necessary for the message routing and the DTINFO object carries >> information about the later expected data flow. That are basically two > >> different things: The message routing information and the expected >> data flow. >> >> > decision as GIST NAT traversal would be rendered broken. GIST NAT >> > traversal is crucial as we cannot assume a domainwide deployment of >> > NAT/Firewall NSLP instantly. I would appreciate a >> deployable over a >> > 100% >> > clean solution as deployment will be very crucial to >> NAT/Firewall NSLP >> > success anyway. >> >> I do not see the applicability given for the GIST with LE-MRM and NAT >> traversal. I probably need a good example why it is needed. >> >> > >> > See Martin's and my discussion in the issue tracker: >> > https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/issue50 >> > >> > Actually, only the DR port and protocol field is needed for NAT >> > traversal >> > as REA/LE-MRM needs only a one-sided translation. >> > >> > 3) DTINFO message format >> > >> > The message format of the current solution is a bit confusing and >> > lacks >> > IPv6 support (DTINFOv6 object was removed in previous draft). Let >> > me start >> > with its figure: >> >> The DTINFO_IPV6 object has been removed since there is no IPv6 NAT >> and the usage of NAT-PT seems to be deprecated. >> >> > >> > >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> > |I|P|S| reserved | dest prefix | >> protocol | >> > >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> > (***): dst port number [DR] | src port number >> [DS] : >> > >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> > : IPsec SPI >> : >> > >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> > | data sender's IPv4 address >> | >> > >> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >> > >> > The purpose of this object is two-fold: >> > >> > - specify data sender during REA (aka: the cone-ness of the NAT) >> > >> > - supply DR port/protocol for NAT traversal >> > >> > Unfortunately, the draft heavily mixes and overloads these two >> > different >> > semantical aspects in this object. Specifically, I see following >> > issues: >> > >> > a) The P flag specifies whether port numbers are present or >> not. This >> > means that either both ports are present or none. Confusely, DR >> > port and >> > DS port cover different semantic aspects: >> > >> > DS port specifies the data sender, DR port is necessary for NAT >> > traversal. >> > A single flag to enable/disable two fields with different semantical > >> > meaning can be problematic. >> >> I makes sense to either enable usage of ports or not. >> However, if ports >> are enabled you still can wildcard the DS port. This makes some sense >> from the point of whether your policy rule to be installed in >> the device >> covers port numbers or not. >> >> > >> > b) The I flag specifies whether the protocol field should be >> > interpreted >> > or not. The protocol defines the protocol used for above mentioned >> > ports >> > if the P flag is set aswell. Although the ports are of different >> > semantical meaning, the protocol covers both equally. >> > >> > I am not sure whether this semantical overloading may introduce new >> > problems, at least this limits flexibility compared to PC-MRM case >> > where a >> > protocol can be set in MRI and in DTINFO independently. >> >> DTINFO and PC-MRM cannot be used at the same time. *BUT* this is >> not specified in the draft :-) >> I will fix this. >> >> > >> > c) DTINFO object might be used for firewall signaling scenarios. But > >> > LE-MRM can only cover NAT-only scenarios. That means that the NR >> > has to >> > know the scenario in advance to choose between PC-MRM and LE-MRM >> > signaling. The more intelligence is put into NR the more it >> evolves >> > to a >> > probing NR. >> >> Right, NR needs to choose carefully in what scenario it is. But the >> DTINFO object >> is not useful in firewall only scenarios, since those messages are >> anyway >> carried using the PC-MRM. >> >> > >> > A probing NR sounds to me a bit like the situations BEHAVE working >> > group >> > deal with; this is not the situation I would like to see NAT/ >> > Firewall NSLP >> > in. I think that our network states can be used more flexibly to >> > assist >> > the NR better. The NR should not care about the network, but only >> > give the >> > definitions that the network should adapt to. >> >> I would prefer a different way of deciding whether the NR is NATed or >> firewalled only. However, until now there has been now good proposal >> how to avoid this. Suggestions are welcome. >> >> > >> > Surely, this is a design decision that needs WG consensus. >> > >> > d) DTINFO object MUST be included when using LE-MRM as NAT >> > traversal is >> > not possible as long as DR port is not available. >> Therefore, following >> > paragraphs might need correction: >> > >> >> The NI+ MAY include a NATFW_DTINFO_IPv4 object in the REA message >> >> when using the LE-MRM. The LE-MRM does not include enough >> > >> > also: >> > >> >> When the data sender's address information is known in >> advance the >> >> NI+ >> >> MAY include a NATFW_DTINFO_IPv4 object in the REA message (as >> >> described >> >> above). >> >> Already noted this. >> >> > >> > 4) I hope I pointed out that a discussion of following points in >> > the WG is >> > necessary: >> > >> > - How much intelligence should have the NR -> shall the network >> > handle the >> > deployment sceario or should the NR know/probe the network scenario? > >> >> As said, I'm open for suggestions! >> >> > >> > - Is a broken GIST NAT traversal worth giving up a 100% clean MRM >> > design? >> >> I still lack the real usage scenario for GIST with LE-MRM NAT >> traversal. >> >> > >> > The message format issues heavily depend on these discussions, >> > therefore I >> > would rather like to delay the message format design until both >> > questions >> > gained consensus. >> > >> > I also appreciate any feedback on our NAT/Firewall NSLP >> implementation >> > available at: >> > >> > http://user.informatik.uni-goettingen.de/~nsis/ >> >> I hope to get some time for checking this out. >> >> > >> > Thank you for your attention, >> >> Thanks a lot for the comments! >> >> > Henning Peters >> > >> > >> > _______________________________________________ >> > nsis mailing list >> > nsis@ietf.org >> > https://www1.ietf.org/mailman/listinfo/nsis >> >> >> _______________________________________________ >> nsis mailing list >> nsis@ietf.org >> https://www1.ietf.org/mailman/listinfo/nsis >> > > _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Hannes Tschofenig
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Hancock, Robert
- RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling