IETF Logo Mail Archive

Re: [pcp] Fw:I-D Action: New Version Notification for draft-tsou-pcp-natcoord-08.txt

Qiong <bingxuere@gmail.com> Thu, 01 November 2012 12:19 UTC

Return-Path: <bingxuere@gmail.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B93DF21F8843 for <pcp@ietfa.amsl.com>; Thu, 1 Nov 2012 05:19:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-CefHMp1JnQ for <pcp@ietfa.amsl.com>; Thu, 1 Nov 2012 05:19:34 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 71EA521F887B for <pcp@ietf.org>; Thu, 1 Nov 2012 05:19:34 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id 9so3974228iec.31 for <pcp@ietf.org>; Thu, 01 Nov 2012 05:19:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+VQhheLoXBbSvCeurKJpxKSot1NzFTGRxgYV9b2e2Us=; b=e6dpFBkuih0umvLhnExR+aVjOopvnbz11IsgvGFypIKoutfo1PtpGRy90uGe3D2Uif QNOtZ+u0h9z2qqvnqr8Q6dLBO8g87GvQCtFZkkp5Oegk43aKWp9eeM1/r4jwjT89mi7Q u9CZBMHMlFVITWD/XbYjwzBXrz021lBXisTunPblQU8//5LTcQSOxyd7tJuHylBLdPQv M0QUp8ZAgszSBrSejH55V2UvCqaHexCmi/Ck0TclgObs3WNrW1BFj1eb0Y9xRO6eBYy5 4YB47k/OkoOhmXJ3OuKh31wp6qfCCTMIUWTDApZqaC8EI6cJNV+traJHLQXeQngcUew2 +jlA==
Received: by 10.50.155.162 with SMTP id vx2mr944748igb.61.1351772373944; Thu, 01 Nov 2012 05:19:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.76.200 with HTTP; Thu, 1 Nov 2012 05:18:53 -0700 (PDT)
In-Reply-To: <0c8701cdb792$8ee8c4a0$acba4de0$@cisco.com>
References: <CAH3bfAAn79BdM+F9G2WkJwvwxo08y89Fa3D6VKRX6cOZu98FYA@mail.gmail.com> <0c8701cdb792$8ee8c4a0$acba4de0$@cisco.com>
From: Qiong <bingxuere@gmail.com>
Date: Thu, 01 Nov 2012 20:18:53 +0800
Message-ID: <CAH3bfABZOjVZqHzZ7PTJfQ5WQT0wUnbZRtMCoJJfVsMw==U8bQ@mail.gmail.com>
To: Dan Wing <dwing@cisco.com>
Content-Type: multipart/alternative; boundary="e89a8f2354832a8bda04cd6e0825"
Cc: "pcp@ietf.org" <pcp@ietf.org>
Subject: Re: [pcp] Fw:I-D Action: New Version Notification for draft-tsou-pcp-natcoord-08.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 12:19:36 -0000

Dear Dan,

Thanks a lot for your review :) Please see inline


On Thu, Nov 1, 2012 at 2:07 AM, Dan Wing <dwing@cisco.com> wrote:

> > -----Original Message-----
> > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On Behalf Of
> > Qiong
> > Sent: Wednesday, October 31, 2012 12:41 AM
> > To: pcp@ietf.org
> > Subject: [pcp] Fw:I-D Action: New Version Notification for draft-tsou-
> > pcp-natcoord-08.txt
> >
> > Dear all,
> >
> > We have updated the pcp-natcoord draft according to the comments from
> > the wg before. The major changes in this version is as follows:
> >
> > 1) Update the PORT_SET_Nonce field and be consistent with the latest
> > pcp-base draft
> > 2) Encode the port-set in contiguous port mask, and remove the
> > Cryptographically_Random_Port_Range option
> >
> > 3) Add coexistence with MAP.
> > 4) Add security consideration and failover consideration
> >
> >
> > Your further comments are appreciated.
>
> draft-tsou-pcp-natcoord-08 says:
>
>   Using individual MAP requests to reserve all individual ports of a
>   given port set can not achieve this goal because an additional
>   indication is needed to instruct the PCP-controlled device to not
>   enforce a NAT for packets matching these ports.  A candidate solution
>   is to define a new Option to request for this feature be enforced by
>   the PCP-controlled device.
>
> The sentences above are not accurate.  A PCP-controlled device that does
> not NAT will simply return the same IP address and port for
> the externally-mapped IP address, as described in draft-ietf-pcp-base-28:
>
>    Mapping, Port Mapping, Port Forwarding:
>       A NAT mapping creates a relationship between an internal IP
>       address, protocol, and port, and an external IP address, protocol,
>       and port.  More specifically, it creates a translation rule where
>       packets destined to the external IP and port are translated to the
>       internal IP address, protocol, and port, and vice versa.  In the
>       case of a pure firewall, the "Mapping" is the identity function,
>       translating an internal IP address, protocol, and port number to
>       the same external IP address, protocol, and port number.  Firewall
>       filtering, applied in addition to that identity mapping function,
>       is separate from the mapping itself.
>
> [Qiong] Right. Thanks for pointing it out. My understanding is in pcp-base
pure firewall case, it only keeps record on the mapping rule and this
pcp-controlled device can be configured with non-NAT function. Am I right?
This can also be applied to pcp-natcoord where this port-set mapping rule
is recorded with no-NAT functionality.

>
>
> draft-tsou-pcp-natcoord-08 says:
>
>   Another issue, is when no NAT is enforced in the PCP-controlled
>   device but only a Port Range Router (PRR) function, the
>   request has not to indicate the internal ports.
>
> But then how does pcp-natcoord ensure the subscriber's equipment and
> the service provider equipment have the same configuration of
> the subscriber's port number range?  Seems it doesn't ensure the
> configurations are the same; something else does?
>
[Qiong] Sorry I'm not sure if I understand it correctly. The subscriber's
equipment (e.g. CPE) can initiate the pcp-natcoord request from the service
provider equipment (e.g. pcp-controlled device) to get the port range.
Since the subscriber's equipment will have distinct IPv6 address (e.g.
cpe's wan address), the pcp-controlled device can use the v6 address
(internal address) as an index to fetch proper mapping rule, including
internal v6 address, external v4 address and port set. Therefore, the
configuration consistency between the CPE and PCP-controlled devices can be
ensured. Does it address your concern ?

>
>
> The draft needs to consider what happens when the port-sets overlap
> or are supersets of each other.  Especially how the Mapping Nonce
> is handled in that situation.
>
[Qiong] In the draft, we say "However, this port set indicated in the
request of the PCP Client is only a hint; it is up to the PCP Server to
assign a port set". So the PCP server can guarantee that the port-sets will
not overlap with each other, right ?

Besides, since the pcp-controlled device can identify each client with the
internal address(IPv6 address), I think there will be no confusion in PCP
servers to assgin non-overlap port-set to clients.

I will add it explicitly in draft as a requirement to PCP server. Is it ok ?

>
>
> draft-tsou-pcp-natcoord-08 says:
>
>   The Client MUST use a different Mapping Nonce for
>   different MAP_PORT_SET requests.
>
> This is a MUST, which means there must be something that breaks if
> it violates that requirement.  What breaks?
>

[Qiong] This is used when one pcp-natcoord client is allowed to initiate
multiple port-set requests in case it has used out all the ports in one
port-set. As a result, one pcp client may get multiple mapping rules
including the same Internal address, external address and different
port-sets. In this case, one mapping rule should have one corresponding
mapping nonce, and the server should also keep the Nonce value for each
port-set mapping. Otherwise, the pcp server can not get the distinction
between a port-set request retransimission when the request is somehow lost
and a new port-set request to get another port-set mapping, since the
suggested port-set might be zero in both cases and the Internal address,
protocol is the same. So when the client is going to request a new
port-set, a different Mapping Nonce should be used with the previous
port-set request. Does it make sense ? Hope it clarifies -:)

Thanks again for your comments !

Best wishes
Qiong

>
>
> -d
>
>
> > BTW, you can also find the opensource project in sourceforge:
> > http://sourceforge.net/projects/pcpportsetdemo/
> >
> >
> > Thanks a lot!
> >
> > Best wishes
> >
> > --
> > ==============================================
> > Qiong Sun
> > China Telecom Beijing Research Institude
> >
> >
> > Open source code:
> > lightweight 4over6: http://sourceforge.net/projects/laft6/
> > PCP-natcoord: http://sourceforge.net/projects/pcpportsetdemo/
> > ===============================================
> >
> >
>
>
>


-- 
==============================================
Qiong Sun
China Telecom Beijing Research Institude


Open source code:
lightweight 4over6: *http://sourceforge.net/projects/laft6/*
PCP-natcoord:* http://sourceforge.net/projects/pcpportsetdemo/ *
===============================================

v2.23.0 | Report a Bug | By Email