IETF Logo Mail Archive

RE: [SAFE] SAFE BoF in Vancouver

<Markus.Isomaki@nokia.com> Wed, 21 November 2007 15:53 UTC

Return-path: <safe-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IurtB-0001dT-4P; Wed, 21 Nov 2007 10:53:21 -0500
Received: from safe by megatron.ietf.org with local (Exim 4.43) id 1Iurt9-0001dN-NM for safe-confirm+ok@megatron.ietf.org; Wed, 21 Nov 2007 10:53:19 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iurt9-0001dF-Do for safe@ietf.org; Wed, 21 Nov 2007 10:53:19 -0500
Received: from smtp.nokia.com ([131.228.20.172] helo=mgw-ext13.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Iurt4-0000nW-T2 for safe@ietf.org; Wed, 21 Nov 2007 10:53:19 -0500
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-ext13.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id lALFqwq9013561 for <safe@ietf.org>; Wed, 21 Nov 2007 17:53:13 +0200
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 21 Nov 2007 17:52:37 +0200
Received: from esebe101.NOE.Nokia.com ([172.21.138.215]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 21 Nov 2007 17:52:37 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [SAFE] SAFE BoF in Vancouver
Date: Wed, 21 Nov 2007 17:52:36 +0200
Message-ID: <C84E0A4ABA6DD74DA5221E0833A35DF30A26C758@esebe101.NOE.Nokia.com>
In-Reply-To: <351D0D85-DE60-4F47-8D16-E61B6799EC79@csperkins.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [SAFE] SAFE BoF in Vancouver
Thread-Index: AcgoWPpKEyLBk45gSfKCQraN6qORvAD4WcbA
References: <351D0D85-DE60-4F47-8D16-E61B6799EC79@csperkins.org>
From: Markus.Isomaki@nokia.com
To: safe@ietf.org
X-OriginalArrivalTime: 21 Nov 2007 15:52:37.0640 (UTC) FILETIME=[8A22B880:01C82C56]
X-Nokia-AV: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 612a16ba5c5f570bfc42b3ac5606ac53
X-BeenThere: safe@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Self-Address Fixing Evolution <safe.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/safe>
List-Post: <mailto:safe@ietf.org>
List-Help: <mailto:safe-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=subscribe>
Errors-To: safe-bounces@ietf.org

Hi,

Here are some thougths on what I think we should be able to figure out
wrt. this BoF. Not necessarily perfectly structured, but I hope this
helps to initiate some discussion already *before* the actual BoF
session, and helps us to formulate the actual key questions to present
in the BoF.


Requirements
------------

Perhaps it's fair to say that stun-control is mostly an opportunistic
extension of an existing protocol (STUN) to do some new stuff (control
NATs instead of just discovering them) rather than a top-down design
based on pre-established requirements. However, to evaluate the
usefulness of stun-control we should agree on some set of requirements
that the protocol should meet and then see if it makes sense to use STUN
as a starting point.

It might help as as starting point to list what stun-control CAN do
without taking it too far. Here is my initial attempt, please comment:
- Discover the NATs between the host and its STUN server. Assuming only
a "single route" between the host and it's outmost NAT, these are the
NATs between the host and any other host in the Internet. Assuming a
more complex topology, the set of NATs depends on the peer (and
routing/link state). There may be further issues with overalapping
private address spaces.
- Discover the "properties" of the UDP-binding in each of the NATs, in
practice the filtering rules and expiration timer. Here it is important
to note that this needs to be done binding-by-binding and in it's not
possible to discover bindings created by other hosts. This can be seen
as a feature or a limitation. 
- Configure the properties of the discovered bindings, if allowed by the
NAT policy. 
- Discover which "control" protocols are supported by each NAT,
including other than STUN itself.

The current draft also extends the discovery and control to firewalls,
with a slightly different techique. 

Based on this analysis a few questions can be raised:
- Is a protocol with features and limitations listed above useful on its
own, or should the functionality be offered as part of some more capable
protocol?
- Should firewalls be in or out of scope?
- Should only UDP be considered, or should also TCP be brought to scope?
If we want to include TCP, does STUN approach make sense?
- Is it a feature or a limitation that bindings are
controlled/discovered one-by-one and hosts can only control/discover
their own bindings?

Applicability
-------------

This relates very much to requirements, i.e. from which real-word
problem do we derive our requirements from and does stun-control indeed
solve a real problem in a reasonable way. I think that the problem
statement is relatively well written in the BoF proposal, including
things like power consumption, server load and possibilty to optimize
certain NAT traversal scenarios. Some questions related to this are:
- What are the exact problems stun-control is supposed to solve?
- Does it really solve them *well enough*? (For instance there are
issues like the complex topologies, inability to discover
non-STUN-supporting firewalls, overlapping address spaces and so on. Are
these serious enough to ruin the use cases people have in mind or can we
live with them?)
- Can it be incrementally deployed? This has been one selling argument.


Relation to other work
----------------------

This is the tough part related to dozens of other middlebox related
protocols, i.e. how does stun-control fit in or differentiate itself.
stun-control seems to have some distinct qualitities compared to various
other protocols. It is hard to describe the differences in brief,
draft-eggert-middlebox-control-survey is one attempt to classify and
compare such protocols. Conserns about overlap with UPnP IGD has been
specifically brough up. In that case the difference is quite clear,
related e.g. to stun-control supporting nested NATs. In general there
are various questions:
- What is the difference/overlap between stun-control and protocols X, Y
and Z?
- What are the most relevant X, Y, and Z?
- In cases of partial overlaps, can the protocols co-exist?
- Does stun-control have some qualities why it would be easier to deploy
than some of the existing protocols that (AFAIK) have not enjoyed wide
deployment so far?

Another area is the separation of discovery and control. In some cases,
e.g. with Teredo, Teredo itself can discover the outermost NAT and
stun-control can start its work from that point onward. On the other
hand, stun-control can be used only for discovery and some other
protocols (such as UPnP IGD) for the actual control.
- Should these kind of interactions be described somewhere in more
detail, or do we just leave them to the product vendors to figure out
(who may come up with exotic combinations...)?

Interest in the vendor/ISP/enterprise/application community
-----------------------------------------------------------

By definition middlebox control solutions are not end-to-end things that
we can just layer on top of the Internet. So, their success heavily
depends on the vendors actually building the middleboxes. Also, in many
cases the features need to be explicitly turned on by the ISPs or
enterprise IT folks, so their support is also needed. Finally, support
is needed from the less-well-defined applications community, who need to
integrate the capabilities in the actual applications who want the
control capabilities.
- Can we say anyting about the interest of these communities toward
stun-control? Is there any good way to find this out?


Regards,
	Markus



>-----Original Message-----
>From: ext Colin Perkins [mailto:csp@csperkins.org] 
>Sent: 16 November, 2007 16:00
>To: ietf@ietf.org
>Cc: safe@ietf.org; Isomaki Markus (Nokia-SIR/Espoo)
>Subject: [SAFE] SAFE BoF in Vancouver
>
>The following BoF has been proposed for the Vancouver IETF. 
>There is a mailing list <safe@ietf.org> for discussion.
>
>Colin
>
>
>
>
>SAFE - Self-Address Fixing Evolution BoF
>----------------------------------------
>
>Chairs:
>   Colin Perkins  (csp@csperkins.org)
>   Markus Isomaki (Markus.Isomaki@nokia.com)
>
>Mailing list:
>   https://www1.ietf.org/mailman/listinfo/safe
>
>Various NAT hole-punching techniques such as IPsec NAT 
>traversal, Teredo, and STUN/ICE send periodic UDP keep-alive 
>messages to keep their NAT binding alive.
>
>However, a drawback of these techniques is their chattiness 
>which is a result of the host application not knowing the 
>NAT's binding lifetime (IPsec NAT traversal, STUN/ICE) or 
>because the application is unable to extend the lifetime of 
>the NAT's binding (Teredo).  The endpoint has to send periodic 
>packets which consume power on battery powered devices, 
>consume network bandwidth, and place an unnecessary load on servers.
>
>There are two approaches to resolve the problem of chattiness. 
>The first is to interact directly with the NAT using a NAT 
>control protocol. Several of these protocols exist which 
>unfortunately have different drawbacks:
>
>   * incremental deployment is not possible with MIDCOM, NSIS-NSLP,
>     UPnP IGD, or NAT-PMP.  With all of these protocols, both the NAT
>     and the endpoint have to support the same protocol
>   * nested NATs are not possible with UPnP IGD or NAT-PMP
>   * topology awareness is required of MIDCOM
>   * security must be established between the controlling entity and
>     the NAT for MIDCOM and NSIS-NSLP
>   * UPnP IGD uses broadcasts packets and NAT-PMP expects the NAT to be
>     the default gateway; neither work well on routed networks
>
>The second approach is to empirically test the NAT's binding 
>lifetime, as done by Teredo. This can optimise the keep-alive 
>traffic based on the NAT's binding lifetime, but cannot extend 
>the duration of the binding lifetime. Also, empirical testing 
>does not always give reliable results due to varying behaviour 
>of NAT and firewall implementations.
>
>This BoF is intended to discuss a newly-proposed technique for 
>using STUN to discover, query and control firewalls and NATs, 
>that can eliminate UDP keep-alive traffic. The BoF will review 
>the problem space and existing work, and decide if there is a 
>need for new work in the area, and if the IETF is an 
>appropriate home for that work. The intent is not to form a 
>new working group at this time, but to gauge interest in work 
>in this area, and consider an appropriate future home for that work.
>
>
>Agenda:
>    Introduction ...................................... (Chairs, 10)
>    Problem statement and scope ......................... (Wing, 15)
>    Survey of existing work ........................... (Barnes, 30)
>       draft-eggert-middlebox-control-survey-01.txt
>    NAT/Firewall control with STUN ...................... (Wing, 15)
>       draft-wing-behave-nat-control-stun-usage-05.txt
>    Discussion ................................................ (20)
>    Future directions ................................. (Chairs, 30)
>
>
>--
>version: 1.5, 16-Nov-2007
>
>
>
>_______________________________________________
>SAFE mailing list
>SAFE@ietf.org
>https://www1.ietf.org/mailman/listinfo/safe
>


_______________________________________________
SAFE mailing list
SAFE@ietf.org
https://www1.ietf.org/mailman/listinfo/safe

v2.23.0 | Report a Bug | By Email