IETF Logo Mail Archive

Re: [pcp] WGLC: draft-ietf-pcp-port-set-03.txt comments due by NOV 5

Simon Perreault <simon.perreault@viagenie.ca> Thu, 31 October 2013 14:24 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B8B21F9DD6 for <pcp@ietfa.amsl.com>; Thu, 31 Oct 2013 07:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeJ740A+Kvxk for <pcp@ietfa.amsl.com>; Thu, 31 Oct 2013 07:24:14 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 4EBB021F9DD5 for <pcp@ietf.org>; Thu, 31 Oct 2013 07:24:14 -0700 (PDT)
Received: from porto.nomis80.org (unknown [IPv6:2620:0:230:2001::1000]) by jazz.viagenie.ca (Postfix) with ESMTPSA id C3D1640060 for <pcp@ietf.org>; Thu, 31 Oct 2013 10:24:13 -0400 (EDT)
Message-ID: <5272680D.6060209@viagenie.ca>
Date: Thu, 31 Oct 2013 10:24:13 -0400
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8
MIME-Version: 1.0
To: pcp@ietf.org
References: <b8f9ec4bebff4bea86d0e28901dca183@BN1PR03MB267.namprd03.prod.outlook.com>
In-Reply-To: <b8f9ec4bebff4bea86d0e28901dca183@BN1PR03MB267.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1257"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [pcp] WGLC: draft-ietf-pcp-port-set-03.txt comments due by NOV 5
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2013 14:24:15 -0000

Dave,

Thanks a lot for the review! I'll be sure to incorporate your comments 
into a new revision shortly after the gates reopen.

Le 2013-10-30 18:33, Dave Thaler a écrit :
> 1) The claim that a port set makes code simpler needs an explanation to justify it.
> E.g., if an app really needs 16 ports, and it fails to get 16 back in its first request, it still
> has to handle that and say make multiple separate requests.

Two observations:

- Wouldn't that behaviour be a tiny bit evil? It reminds me of 
applications that create multiple flows in an attempt to trick an 
SFQ-based QoS into allocating them more bandwidth.

- Often, apps that ask for N ports don't really need N ports. Ideally 
they would like to get N ports, but they can live with <N ports. No need 
for single-port fallback in that case.

> So if it already has to have
> code to deal with multiple separate requests, why is it simpler to add port set functionality
> to and implement both?  This seems counter-intuitive to a reader.

That would only apply to apps that absolutely need N ports to function, 
and don't need them to be contiguous. Those apps need to fall back on 
single-port requests as you describe. But I would argue that these apps 
are really quite rare.

We can add text describing these concerns in the next revision.

> 2) Text on overlapping ranges needs more detail.  Is it legal for a client to send requests for
> overlapping ranges in parallel or not?  I ask because this was an attack vector for IP reassembly
> so can imagine we need the precision here to avoid similar attacks.  This might have an impact
> on the Security Considerations section.

Hmmm... interesting. I see now that those requests would not be 
idempotent, contrary to single-port MAP requests. The first one to be 
processed by the server would "win". Responses to each request would 
depend on which one has won.

I don't see an attack here, but the lack of idempotence bugs me. I don't 
quite know what action to take here except describe the situation in the 
next revision.

> 3) The unstated assumption in section 5.3 seems to be that the client can reuse the same
> mapping nonce in all independent requests that it wants to refresh as a block, is that right?

Right.

> Let's say internal port 100 and 110 both have the same mapping nonce, and internal port 105
> has a different mapping nonce (e.g., from a different PCP client on the same host).
> If the first PCP client sends a refresh for port 100, Port Set Size = 11, what would the effect be
> at the PCP server?

Assuming the request nonce matches the nonce of the mapping at port 100, 
then:

- The mapping at port 100 would be refreshed.

- The mapping at port 110 would not be refreshed, but its remaining 
lifetime would be returned by the server, as described in 
draft-cheshire-pcp-unsupp-family. The response's nonce would be copied 
from the request's nonce.

If you agree that this is how it should be, I'll add this to the example 
section. However, that would depend on keeping the normative reference 
to unsupp-family (see point 5 below).

> 4) Section 4.1 says if the response does not include a PORT_SET, in a response it assumes
> the server doesn't support it, and sends individual MAP requests for the rest of the ports it needs.
> But section 4.2 says if the server does support PORT_SET but can only return 1 in its first response,
> It must omit the PORT_SET option.  I think that's wrong since it will confuse the client as noted above.
> If it's included with a Port Set Size of 1, the client knows it can keep trying using PORT_SET for subsequent
> blocks, which might get more than 1 port in each response.

Agreed. I'll modify the draft accordingly unless others disagree.

> 5) If we want this to go to RFC soon, we need to remove normative references to non-RFCs
> (and this is easy, I suggested text), but I think we should also remove informative references to
> individual drafts (i.e., drafts that aren't currently WG drafts in any WG), and instead only reference
> in the reverse direction; those other drafts should reference this one instead of the other way around.

AFAIK, informative references don't prevent publishing as an RFC. So 
I'll focus on normative references.

I'll remove the reference to draft-boucadair-pcp-failure unless others 
disagree.

About draft-cheshire-pcp-unsupp-family: we could remove the reference 
and let the document stand on its own. The new example showing the 
effect of nonce checking multiple mappings with differing nonces would 
be added to draft-cheshire.

As an aside: the example in section "5.2 Stateless Mapping Discovery" is 
not specific to draft-tsou-stateless-nat44. It is intended to illustrate 
how discovery is done generically without the client knowing the kind of 
stateless NAT it is speaking to. In fact, if the NAT in that example had 
been one implementing draft-tsou, the numbers would have been different. 
Therefore I suggest keeping the example.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

v2.23.0 | Report a Bug | By Email