IETF Logo Mail Archive

Re: [SAFE] SAFE BoF in Vancouver

Jonathan Rosenberg <jdrosen@cisco.com> Mon, 03 December 2007 08:02 UTC

Return-path: <safe-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iz6GB-0003bq-CL; Mon, 03 Dec 2007 03:02:35 -0500
Received: from safe by megatron.ietf.org with local (Exim 4.43) id 1Iz6GA-0003aX-6Z for safe-confirm+ok@megatron.ietf.org; Mon, 03 Dec 2007 03:02:34 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iz6G9-0003aB-QE for safe@ietf.org; Mon, 03 Dec 2007 03:02:33 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Iz6G8-000522-9Q for safe@ietf.org; Mon, 03 Dec 2007 03:02:33 -0500
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 03 Dec 2007 00:02:31 -0800
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id lB382VeF012943; Mon, 3 Dec 2007 00:02:31 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id lB382Q75021999; Mon, 3 Dec 2007 08:02:31 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 3 Dec 2007 00:02:26 -0800
Received: from [10.21.87.30] ([10.21.87.30]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 3 Dec 2007 00:02:25 -0800
Message-ID: <47531026.9000504@cisco.com>
Date: Sun, 02 Dec 2007 15:05:58 -0500
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Markus.Isomaki@nokia.com
Subject: Re: [SAFE] SAFE BoF in Vancouver
References: <351D0D85-DE60-4F47-8D16-E61B6799EC79@csperkins.org> <C84E0A4ABA6DD74DA5221E0833A35DF30A26C758@esebe101.NOE.Nokia.com>
In-Reply-To: <C84E0A4ABA6DD74DA5221E0833A35DF30A26C758@esebe101.NOE.Nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 03 Dec 2007 08:02:26.0014 (UTC) FILETIME=[D7A737E0:01C83582]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=10781; t=1196668951; x=1197532951; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jdrosen@cisco.com; z=From:=20Jonathan=20Rosenberg=20<jdrosen@cisco.com> |Subject:=20Re=3A=20[SAFE]=20SAFE=20BoF=20in=20Vancouver |Sender:=20; bh=BKBgoQ6zX7BdFz9toGZuw7zbtjMqRIaYcsaCLnew6wI=; b=GlYKnjQSMEmjR2+3IK5kgkqe5MwFKqM0/m82VQu9bz4I9XUfEH6I/LLl9D1wB7s9e7QdrQeD WQyUvooPor+HWnX4eZWiE5Fcym4o8N95x3Y4VAbZzwwE84TATTx/PkMS;
Authentication-Results: sj-dkim-2; header.From=jdrosen@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: 1.9 (+)
X-Scan-Signature: 6a45e05c1e4343200aa6b327df2c43fc
Cc: safe@ietf.org
X-BeenThere: safe@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Self-Address Fixing Evolution <safe.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/safe>
List-Post: <mailto:safe@ietf.org>
List-Help: <mailto:safe-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=subscribe>
Errors-To: safe-bounces@ietf.org

My two cents: I think the primary requirement is the ability to control 
binding lifetimes explicitly for UDP, and thats it. Everything else, 
like discovering intervening NAT, is a consequence of that requirement, 
and not a requirement by itself. I think binding lifetime control is the 
main issue since, without NAT control, techniques like ICE and sip 
outbound work well-enough that really we don't need control of the NAT. 
So, what is it thats not working so well with ICE and sip-outbound? 
Really primarily in the sip-outbound case its the frequent keepalive. So 
lets fix just that problem.

-Jonathan R.



Markus.Isomaki@nokia.com wrote:
> Hi,
> 
> Here are some thougths on what I think we should be able to figure out
> wrt. this BoF. Not necessarily perfectly structured, but I hope this
> helps to initiate some discussion already *before* the actual BoF
> session, and helps us to formulate the actual key questions to present
> in the BoF.
> 
> 
> Requirements
> ------------
> 
> Perhaps it's fair to say that stun-control is mostly an opportunistic
> extension of an existing protocol (STUN) to do some new stuff (control
> NATs instead of just discovering them) rather than a top-down design
> based on pre-established requirements. However, to evaluate the
> usefulness of stun-control we should agree on some set of requirements
> that the protocol should meet and then see if it makes sense to use STUN
> as a starting point.
> 
> It might help as as starting point to list what stun-control CAN do
> without taking it too far. Here is my initial attempt, please comment:
> - Discover the NATs between the host and its STUN server. Assuming only
> a "single route" between the host and it's outmost NAT, these are the
> NATs between the host and any other host in the Internet. Assuming a
> more complex topology, the set of NATs depends on the peer (and
> routing/link state). There may be further issues with overalapping
> private address spaces.
> - Discover the "properties" of the UDP-binding in each of the NATs, in
> practice the filtering rules and expiration timer. Here it is important
> to note that this needs to be done binding-by-binding and in it's not
> possible to discover bindings created by other hosts. This can be seen
> as a feature or a limitation. 
> - Configure the properties of the discovered bindings, if allowed by the
> NAT policy. 
> - Discover which "control" protocols are supported by each NAT,
> including other than STUN itself.
> 
> The current draft also extends the discovery and control to firewalls,
> with a slightly different techique. 
> 
> Based on this analysis a few questions can be raised:
> - Is a protocol with features and limitations listed above useful on its
> own, or should the functionality be offered as part of some more capable
> protocol?
> - Should firewalls be in or out of scope?
> - Should only UDP be considered, or should also TCP be brought to scope?
> If we want to include TCP, does STUN approach make sense?
> - Is it a feature or a limitation that bindings are
> controlled/discovered one-by-one and hosts can only control/discover
> their own bindings?
> 
> Applicability
> -------------
> 
> This relates very much to requirements, i.e. from which real-word
> problem do we derive our requirements from and does stun-control indeed
> solve a real problem in a reasonable way. I think that the problem
> statement is relatively well written in the BoF proposal, including
> things like power consumption, server load and possibilty to optimize
> certain NAT traversal scenarios. Some questions related to this are:
> - What are the exact problems stun-control is supposed to solve?
> - Does it really solve them *well enough*? (For instance there are
> issues like the complex topologies, inability to discover
> non-STUN-supporting firewalls, overlapping address spaces and so on. Are
> these serious enough to ruin the use cases people have in mind or can we
> live with them?)
> - Can it be incrementally deployed? This has been one selling argument.
> 
> 
> Relation to other work
> ----------------------
> 
> This is the tough part related to dozens of other middlebox related
> protocols, i.e. how does stun-control fit in or differentiate itself.
> stun-control seems to have some distinct qualitities compared to various
> other protocols. It is hard to describe the differences in brief,
> draft-eggert-middlebox-control-survey is one attempt to classify and
> compare such protocols. Conserns about overlap with UPnP IGD has been
> specifically brough up. In that case the difference is quite clear,
> related e.g. to stun-control supporting nested NATs. In general there
> are various questions:
> - What is the difference/overlap between stun-control and protocols X, Y
> and Z?
> - What are the most relevant X, Y, and Z?
> - In cases of partial overlaps, can the protocols co-exist?
> - Does stun-control have some qualities why it would be easier to deploy
> than some of the existing protocols that (AFAIK) have not enjoyed wide
> deployment so far?
> 
> Another area is the separation of discovery and control. In some cases,
> e.g. with Teredo, Teredo itself can discover the outermost NAT and
> stun-control can start its work from that point onward. On the other
> hand, stun-control can be used only for discovery and some other
> protocols (such as UPnP IGD) for the actual control.
> - Should these kind of interactions be described somewhere in more
> detail, or do we just leave them to the product vendors to figure out
> (who may come up with exotic combinations...)?
> 
> Interest in the vendor/ISP/enterprise/application community
> -----------------------------------------------------------
> 
> By definition middlebox control solutions are not end-to-end things that
> we can just layer on top of the Internet. So, their success heavily
> depends on the vendors actually building the middleboxes. Also, in many
> cases the features need to be explicitly turned on by the ISPs or
> enterprise IT folks, so their support is also needed. Finally, support
> is needed from the less-well-defined applications community, who need to
> integrate the capabilities in the actual applications who want the
> control capabilities.
> - Can we say anyting about the interest of these communities toward
> stun-control? Is there any good way to find this out?
> 
> 
> Regards,
> 	Markus
> 
> 
> 
>> -----Original Message-----
>> From: ext Colin Perkins [mailto:csp@csperkins.org] 
>> Sent: 16 November, 2007 16:00
>> To: ietf@ietf.org
>> Cc: safe@ietf.org; Isomaki Markus (Nokia-SIR/Espoo)
>> Subject: [SAFE] SAFE BoF in Vancouver
>>
>> The following BoF has been proposed for the Vancouver IETF. 
>> There is a mailing list <safe@ietf.org> for discussion.
>>
>> Colin
>>
>>
>>
>>
>> SAFE - Self-Address Fixing Evolution BoF
>> ----------------------------------------
>>
>> Chairs:
>>   Colin Perkins  (csp@csperkins.org)
>>   Markus Isomaki (Markus.Isomaki@nokia.com)
>>
>> Mailing list:
>>   https://www1.ietf.org/mailman/listinfo/safe
>>
>> Various NAT hole-punching techniques such as IPsec NAT 
>> traversal, Teredo, and STUN/ICE send periodic UDP keep-alive 
>> messages to keep their NAT binding alive.
>>
>> However, a drawback of these techniques is their chattiness 
>> which is a result of the host application not knowing the 
>> NAT's binding lifetime (IPsec NAT traversal, STUN/ICE) or 
>> because the application is unable to extend the lifetime of 
>> the NAT's binding (Teredo).  The endpoint has to send periodic 
>> packets which consume power on battery powered devices, 
>> consume network bandwidth, and place an unnecessary load on servers.
>>
>> There are two approaches to resolve the problem of chattiness. 
>> The first is to interact directly with the NAT using a NAT 
>> control protocol. Several of these protocols exist which 
>> unfortunately have different drawbacks:
>>
>>   * incremental deployment is not possible with MIDCOM, NSIS-NSLP,
>>     UPnP IGD, or NAT-PMP.  With all of these protocols, both the NAT
>>     and the endpoint have to support the same protocol
>>   * nested NATs are not possible with UPnP IGD or NAT-PMP
>>   * topology awareness is required of MIDCOM
>>   * security must be established between the controlling entity and
>>     the NAT for MIDCOM and NSIS-NSLP
>>   * UPnP IGD uses broadcasts packets and NAT-PMP expects the NAT to be
>>     the default gateway; neither work well on routed networks
>>
>> The second approach is to empirically test the NAT's binding 
>> lifetime, as done by Teredo. This can optimise the keep-alive 
>> traffic based on the NAT's binding lifetime, but cannot extend 
>> the duration of the binding lifetime. Also, empirical testing 
>> does not always give reliable results due to varying behaviour 
>> of NAT and firewall implementations.
>>
>> This BoF is intended to discuss a newly-proposed technique for 
>> using STUN to discover, query and control firewalls and NATs, 
>> that can eliminate UDP keep-alive traffic. The BoF will review 
>> the problem space and existing work, and decide if there is a 
>> need for new work in the area, and if the IETF is an 
>> appropriate home for that work. The intent is not to form a 
>> new working group at this time, but to gauge interest in work 
>> in this area, and consider an appropriate future home for that work.
>>
>>
>> Agenda:
>>    Introduction ...................................... (Chairs, 10)
>>    Problem statement and scope ......................... (Wing, 15)
>>    Survey of existing work ........................... (Barnes, 30)
>>       draft-eggert-middlebox-control-survey-01.txt
>>    NAT/Firewall control with STUN ...................... (Wing, 15)
>>       draft-wing-behave-nat-control-stun-usage-05.txt
>>    Discussion ................................................ (20)
>>    Future directions ................................. (Chairs, 30)
>>
>>
>> --
>> version: 1.5, 16-Nov-2007
>>
>>
>>
>> _______________________________________________
>> SAFE mailing list
>> SAFE@ietf.org
>> https://www1.ietf.org/mailman/listinfo/safe
>>
> 
> 
> _______________________________________________
> SAFE mailing list
> SAFE@ietf.org
> https://www1.ietf.org/mailman/listinfo/safe
> 

-- 
Jonathan D. Rosenberg, Ph.D.                   499 Thornall St.
Cisco Fellow                                   Edison, NJ 08837
Cisco, Voice Technology Group
jdrosen@cisco.com
http://www.jdrosen.net                         PHONE: (408) 902-3084
http://www.cisco.com


_______________________________________________
SAFE mailing list
SAFE@ietf.org
https://www1.ietf.org/mailman/listinfo/safe

v2.23.0 | Report a Bug | By Email