Re: [pcp] Fw:I-D Action: New Version Notification for draft-tsou-pcp-natcoord-08.txt
"Dan Wing" <dwing@cisco.com> Thu, 01 November 2012 14:49 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4918F21F8D2E for <pcp@ietfa.amsl.com>; Thu, 1 Nov 2012 07:49:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.524
X-Spam-Level:
X-Spam-Status: No, score=-110.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vUfF2gmBzmJ for <pcp@ietfa.amsl.com>; Thu, 1 Nov 2012 07:49:16 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 5916F21F8A91 for <pcp@ietf.org>; Thu, 1 Nov 2012 07:49:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7920; q=dns/txt; s=iport; t=1351781356; x=1352990956; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=tsd6A39cn38lbUFs1m9YTI1DGALtHBNYegrdw6rThd0=; b=gCpQ0tPoKd72rVfLoMuO7HcC2HL9YUw476OO2vGT9RRptBnZ48XTw3V1 7CDanxhF8KMYx2aAgTBbQoFI4ckQSY6wEzPH4rqDK3zaCUn+Lz7Tls4NY j9sdps39wmjQSICUL4vuA4ITpLFvPChGQq7n1D5SM1Zxh8piYMOjeu/YL 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAA+LklCrRDoI/2dsb2JhbAA6AQmGF71UgQiCHgEBAQMBCAIIARBPBQIFBwEDAgkRBAEBAQICIwMCAhkIJQkIAgQRAgsFCweHUgMJBQycE40piScNiVSBIIl0ZxABhReBEwOIWoUXhjKBVYEbiheDJoFrgw8f
X-IronPort-AV: E=Sophos;i="4.80,693,1344211200"; d="scan'208";a="60304016"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 01 Nov 2012 14:49:13 +0000
Received: from DWINGWS01 ([10.32.240.194]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id qA1EnDNi007686; Thu, 1 Nov 2012 14:49:13 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Qiong' <bingxuere@gmail.com>
References: <CAH3bfAAn79BdM+F9G2WkJwvwxo08y89Fa3D6VKRX6cOZu98FYA@mail.gmail.com> <0c8701cdb792$8ee8c4a0$acba4de0$@cisco.com> <CAH3bfABZOjVZqHzZ7PTJfQ5WQT0wUnbZRtMCoJJfVsMw==U8bQ@mail.gmail.com>
In-Reply-To: <CAH3bfABZOjVZqHzZ7PTJfQ5WQT0wUnbZRtMCoJJfVsMw==U8bQ@mail.gmail.com>
Date: Thu, 01 Nov 2012 07:49:12 -0700
Message-ID: <01ac01cdb840$0ef753c0$2ce5fb40$@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQNPFg3hnot8iaQn7dMg74vbEf4q5wHPoD1sAYkIPtOUt40EMA==
Content-Language: en-us
Cc: pcp@ietf.org
Subject: Re: [pcp] Fw:I-D Action: New Version Notification for draft-tsou-pcp-natcoord-08.txt
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 14:49:17 -0000
> -----Original Message----- > From: Qiong [mailto:bingxuere@gmail.com] > Sent: Thursday, November 01, 2012 5:19 AM > To: Dan Wing > Cc: pcp@ietf.org > Subject: Re: [pcp] Fw:I-D Action: New Version Notification for draft- > tsou-pcp-natcoord-08.txt > > Dear Dan, > > Thanks a lot for your review :) Please see inline > > > > On Thu, Nov 1, 2012 at 2:07 AM, Dan Wing <dwing@cisco.com> wrote: > > > > -----Original Message----- > > From: pcp-bounces@ietf.org [mailto:pcp-bounces@ietf.org] On > Behalf Of > > Qiong > > Sent: Wednesday, October 31, 2012 12:41 AM > > To: pcp@ietf.org > > Subject: [pcp] Fw:I-D Action: New Version Notification for draft- > tsou- > > pcp-natcoord-08.txt > > > > Dear all, > > > > We have updated the pcp-natcoord draft according to the comments > from > > the wg before. The major changes in this version is as follows: > > > > 1) Update the PORT_SET_Nonce field and be consistent with the > latest > > pcp-base draft > > 2) Encode the port-set in contiguous port mask, and remove the > > Cryptographically_Random_Port_Range option > > > > 3) Add coexistence with MAP. > > 4) Add security consideration and failover consideration > > > > > > Your further comments are appreciated. > > > draft-tsou-pcp-natcoord-08 says: > > Using individual MAP requests to reserve all individual ports of > a > given port set can not achieve this goal because an additional > indication is needed to instruct the PCP-controlled device to not > enforce a NAT for packets matching these ports. A candidate > solution > is to define a new Option to request for this feature be enforced > by > the PCP-controlled device. > > The sentences above are not accurate. A PCP-controlled device that > does > not NAT will simply return the same IP address and port for > the externally-mapped IP address, as described in draft-ietf-pcp- > base-28: > > Mapping, Port Mapping, Port Forwarding: > A NAT mapping creates a relationship between an internal IP > address, protocol, and port, and an external IP address, > protocol, > and port. More specifically, it creates a translation rule > where > packets destined to the external IP and port are translated > to the > internal IP address, protocol, and port, and vice versa. In > the > case of a pure firewall, the "Mapping" is the identity > function, > translating an internal IP address, protocol, and port number > to > the same external IP address, protocol, and port number. > Firewall > filtering, applied in addition to that identity mapping > function, > is separate from the mapping itself. > > > > [Qiong] Right. Thanks for pointing it out. My understanding is in pcp- > base pure firewall case, it only keeps record on the mapping rule and > this pcp-controlled device can be configured with non-NAT function. Am I > right? > This can also be applied to pcp-natcoord where this port-set mapping > rule is recorded with no-NAT functionality. > > > > > draft-tsou-pcp-natcoord-08 says: > > Another issue, is when no NAT is enforced in the PCP-controlled > device but only a Port Range Router (PRR) function, the > request has not to indicate the internal ports. > > But then how does pcp-natcoord ensure the subscriber's equipment > and > the service provider equipment have the same configuration of > the subscriber's port number range? Seems it doesn't ensure the > configurations are the same; something else does? > > > [Qiong] Sorry I'm not sure if I understand it correctly. The > subscriber's equipment (e.g. CPE) can initiate the pcp-natcoord request > from the service provider equipment (e.g. pcp-controlled device) to get > the port range. Ok. Which UDP port does the CPE send that PCP request, if it does not yet already know the port range assigned to the CPE? > Since the subscriber's equipment will have distinct IPv6 > address (e.g. cpe's wan address), the pcp-controlled device can use the > v6 address (internal address) as an index to fetch proper mapping rule, > including internal v6 address, external v4 address and port set. > Therefore, the configuration consistency between the CPE and PCP- > controlled devices can be ensured. Does it address your concern ? > > > > > The draft needs to consider what happens when the port-sets overlap > or are supersets of each other. Especially how the Mapping Nonce > is handled in that situation. > > > [Qiong] In the draft, we say "However, this port set indicated in the > request of the PCP Client is only a hint; it is up to the PCP Server to > assign a port set". So the PCP server can guarantee that the port-sets > will not overlap with each other, right ? Let's say the PCP server assigns ports 100-199. Then, because of another request from the CPE, the PCP server assigns ports 200-299. The draft needs to explain if that second PCP response will be indicate just ports 200-299, or if it will indicate ports 100-299. The server could send either sort of response back, so it should more clearly explain that the CPE needs to handle either response, or declare the 100-299 response as illegal, or something. > Besides, since the pcp-controlled device can identify each client with > the internal address(IPv6 address), I think there will be no confusion > in PCP servers to assgin non-overlap port-set to clients. > > I will add it explicitly in draft as a requirement to PCP server. Is it > ok ? -d > > > > > draft-tsou-pcp-natcoord-08 says: > > The Client MUST use a different Mapping Nonce for > different MAP_PORT_SET requests. > > This is a MUST, which means there must be something that breaks if > it violates that requirement. What breaks? > > > > [Qiong] This is used when one pcp-natcoord client is allowed to initiate > multiple port-set requests in case it has used out all the ports in one > port-set. As a result, one pcp client may get multiple mapping rules > including the same Internal address, external address and different > port-sets. In this case, one mapping rule should have one corresponding > mapping nonce, and the server should also keep the Nonce value for each > port-set mapping. Otherwise, the pcp server can not get the distinction > between a port-set request retransimission when the request is somehow > lost and a new port-set request to get another port-set mapping, since > the suggested port-set might be zero in both cases and the Internal > address, protocol is the same. So when the client is going to request a > new port-set, a different Mapping Nonce should be used with the previous > port-set request. Does it make sense ? Hope it clarifies -:) > > Thanks again for your comments ! > > Best wishes > Qiong > > > > > -d > > > > > BTW, you can also find the opensource project in sourceforge: > > http://sourceforge.net/projects/pcpportsetdemo/ > > > > > > Thanks a lot! > > > > Best wishes > > > > -- > > ============================================== > > Qiong Sun > > China Telecom Beijing Research Institude > > > > > > Open source code: > > lightweight 4over6: http://sourceforge.net/projects/laft6/ > > PCP-natcoord: http://sourceforge.net/projects/pcpportsetdemo/ > > =============================================== > > > > > > > > > > > > -- > ============================================== > Qiong Sun > China Telecom Beijing Research Institude > > > Open source code: > lightweight 4over6: http://sourceforge.net/projects/laft6/ > PCP-natcoord: http://sourceforge.net/projects/pcpportsetdemo/ > =============================================== > >
- [pcp] Fw:I-D Action: New Version Notification for… Qiong
- Re: [pcp] Fw:I-D Action: New Version Notification… Qiong
- Re: [pcp] Fw:I-D Action: New Version Notification… Dan Wing
- Re: [pcp] Fw:I-D Action: New Version Notification… Qiong
- Re: [pcp] Fw:I-D Action: New Version Notification… Dan Wing
- Re: [pcp] Fw:I-D Action: New Version Notification… Simon Perreault
- Re: [pcp] Fw:I-D Action: New Version Notification… Dan Wing
- Re: [pcp] Fw:I-D Action: New Version Notification… Simon Perreault
- Re: [pcp] Fw:I-D Action: New Version Notification… Dan Wing
- Re: [pcp] Fw:I-D Action: New Version Notification… Qiong
- Re: [pcp] Fw:I-D Action: New Version Notification… Qiong
- Re: [pcp] Fw:I-D Action: New Version Notification… Dan Wing
- Re: [pcp] Fw:I-D Action: New Version Notification… Dan Wing
- Re: [pcp] Fw:I-D Action: New Version Notification… Simon Perreault
- Re: [pcp] Fw:I-D Action: New Version Notification… Zhouqian (Cathy)
- Re: [pcp] Fw:I-D Action: New Version Notification… Qiong
- Re: [pcp] Fw:I-D Action: New Version Notification… Xiaohong Deng