Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns
Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Sat, 22 April 2006 09:18 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FXEFj-0003Hx-H0; Sat, 22 Apr 2006 05:18:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FXEFh-0003Hs-GX for nsis@ietf.org; Sat, 22 Apr 2006 05:18:05 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1FXEFf-00041U-Rx for nsis@ietf.org; Sat, 22 Apr 2006 05:18:05 -0400
Received: (qmail invoked by alias); 22 Apr 2006 09:18:02 -0000
Received: from p54987329.dip.t-dialin.net (EHLO [192.168.2.33]) [84.152.115.41] by mail.gmx.net (mp026) with SMTP; 22 Apr 2006 11:18:02 +0200
X-Authenticated: #29516787
Message-ID: <4449F4CA.3070803@gmx.net>
Date: Sat, 22 Apr 2006 11:18:02 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Henning Peters <hpeters@math.uni-goettingen.de>
Subject: Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns
References: <60367.24.199.92.165.1145650000.squirrel@mail.piranho.net>
In-Reply-To: <60367.24.199.92.165.1145650000.squirrel@mail.piranho.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ccfb4541e989aa743998098cd315d0fd
Cc: nsis@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Errors-To: nsis-bounces@ietf.org
Hi Henning, thanks for your comments. Please find my response below: Henning Peters wrote: > Dear WG, dear NAT/Firewall NSLP authors, > > NAT/Firewall NSLP is a quite stable and usable protocol. There is running > code already available that covers broad aspects of its functionality. > This proves at least that from an complexity and functional viewpoint it > can be considered feasible. Still, I find that some parts of the spec can > be improved. Here, I would like to present my concerns connected to > LE-MRM/DTINFO that I developed during working on our implementation. > > shortcut: the questions related to WG discussion are at 4). > > 1) Confusing directions > > Most notable, the directions are a bit confusing in this object. src port > is data sender (DS) port, dst port is data receiver (DR) port. DR port is > subject of rewrite, whereas DS port specifies the data sender. I would > appreciate avoiding the term source and destination in this context, this > would also leverage the positioning issue (see later *** when discussing > the message format that confusely destination port is positioned before > source port). I agree. > > Anyway, I will refer to DS port and DR port in the following. > > 2) LE-MRM / DTINFO ports > > After introduction of LE-MRM (loose end message routing method) to the > spec last year it was found that NAT traversal in NAPTs is broken as > LE-MRM does not carry port information. Ports are considered as not part > of GIST routing and therefore omitted from MRI. > > To compensate this DTINFO object was enhanced later with the port > information that was previously accessable in PC-MRM (signaling the wrong > way) MRI. I believe that the current approach is not a good design > decision as GIST NAT traversal would be rendered broken. GIST NAT > traversal is crucial as we cannot assume a domainwide deployment of > NAT/Firewall NSLP instantly. I would appreciate a deployable over a 100% > clean solution as deployment will be very crucial to NAT/Firewall NSLP > success anyway. The counter argument is the following: Why should someone use GIST NAT traversal when in relationship to the NATFW NSLP? Problems show up when the QoS NSLP suddenly starts to use a proxy mode configuration similar to the NATFW NSLP. I personally, however, think that the introduction of the port numbers into the LE-MRM would be cleaner. > > See Martin's and my discussion in the issue tracker: > https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/issue50 > > Actually, only the DR port and protocol field is needed for NAT traversal > as REA/LE-MRM needs only a one-sided translation. > > 3) DTINFO message format > > The message format of the current solution is a bit confusing and lacks > IPv6 support (DTINFOv6 object was removed in previous draft). Let me start > with its figure: > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |I|P|S| reserved | dest prefix | protocol | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > (***): dst port number [DR] | src port number [DS] : > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > : IPsec SPI : > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | data sender's IPv4 address | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > The purpose of this object is two-fold: > > - specify data sender during REA (aka: the cone-ness of the NAT) > > - supply DR port/protocol for NAT traversal > > Unfortunately, the draft heavily mixes and overloads these two different > semantical aspects in this object. Specifically, I see following issues: > > a) The P flag specifies whether port numbers are present or not. This > means that either both ports are present or none. Confusely, DR port and > DS port cover different semantic aspects: > > DS port specifies the data sender, DR port is necessary for NAT traversal. > A single flag to enable/disable two fields with different semantical > meaning can be problematic. I agree. > > b) The I flag specifies whether the protocol field should be interpreted > or not. The protocol defines the protocol used for above mentioned ports > if the P flag is set aswell. Although the ports are of different > semantical meaning, the protocol covers both equally. > > I am not sure whether this semantical overloading may introduce new > problems, at least this limits flexibility compared to PC-MRM case where a > protocol can be set in MRI and in DTINFO independently. > > c) DTINFO object might be used for firewall signaling scenarios. But > LE-MRM can only cover NAT-only scenarios. That means that the NR has to > know the scenario in advance to choose between PC-MRM and LE-MRM > signaling. The more intelligence is put into NR the more it evolves to a > probing NR. I don't think that the LE-MRM can only be used for NAT scenarios. In a firewall scenario an applicability statement is appropriate to deal with multi-homed networks. > > A probing NR sounds to me a bit like the situations BEHAVE working group > deal with; this is not the situation I would like to see NAT/Firewall NSLP > in. I think that our network states can be used more flexibly to assist > the NR better. The NR should not care about the network, but only give the > definitions that the network should adapt to. > > Surely, this is a design decision that needs WG consensus. > > d) DTINFO object MUST be included when using LE-MRM as NAT traversal is > not possible as long as DR port is not available. Therefore, following > paragraphs might need correction: > > >>The NI+ MAY include a NATFW_DTINFO_IPv4 object in the REA message >>when using the LE-MRM. The LE-MRM does not include enough > > > also: > > >>When the data sender's address information is known in advance the NI+ >>MAY include a NATFW_DTINFO_IPv4 object in the REA message (as described >>above). > > I agree. > 4) I hope I pointed out that a discussion of following points in the WG is > necessary: > > - How much intelligence should have the NR -> shall the network handle the > deployment sceario or should the NR know/probe the network scenario? > I think that the NR should be required to have as little information as possible. > - Is a broken GIST NAT traversal worth giving up a 100% clean MRM design? The problems particularly show up when the QoS folks decide to use the LE-MRM for a proxy solution. > > The message format issues heavily depend on these discussions, therefore I > would rather like to delay the message format design until both questions > gained consensus. > > I also appreciate any feedback on our NAT/Firewall NSLP implementation > available at: > > http://user.informatik.uni-goettingen.de/~nsis/ Ciao Hannes > > Thank you for your attention, > Henning Peters > > > _______________________________________________ > nsis mailing list > nsis@ietf.org > https://www1.ietf.org/mailman/listinfo/nsis > > _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concerns Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Hannes Tschofenig
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Hancock, Robert
- RE: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Henning Peters
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling
- Re: [NSIS] NAT/Firewall NSLP LE-MRM/DTINFO concer… Martin Stiemerling