IETF Logo Mail Archive

[SAFE] RE: [tsv-area] BOF request under consideration: SAFE

"Dan Wing" <dwing@cisco.com> Wed, 10 October 2007 00:04 UTC

Return-path: <safe-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfP3t-0006yC-O1; Tue, 09 Oct 2007 20:04:29 -0400
Received: from safe by megatron.ietf.org with local (Exim 4.43) id 1IfP3s-0006y0-Mq for safe-confirm+ok@megatron.ietf.org; Tue, 09 Oct 2007 20:04:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfP3s-0006xf-3L; Tue, 09 Oct 2007 20:04:28 -0400
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfP3l-0000V2-Md; Tue, 09 Oct 2007 20:04:28 -0400
X-IronPort-AV: E=Sophos;i="4.21,251,1188802800"; d="scan'208";a="533212952"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 09 Oct 2007 17:04:16 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id l9A04Gwm010160; Tue, 9 Oct 2007 17:04:16 -0700
Received: from dwingwxp01 ([10.32.240.195]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l9A04FZo013481; Wed, 10 Oct 2007 00:04:15 GMT
From: Dan Wing <dwing@cisco.com>
To: Black_David@emc.com
References: <470A480C.4040506@ericsson.com> <FF29F13E2D78C047B4B79F4E062D0363387938@CORPUSMX20A.corp.emc.com> <09ec01c80aac$9bf1d8f0$c3f0200a@cisco.com> <FF29F13E2D78C047B4B79F4E062D0363387968@CORPUSMX20A.corp.emc.com>
Date: Tue, 09 Oct 2007 17:04:14 -0700
Message-ID: <0c6101c80ad1$189dda60$c3f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3138
Thread-Index: AcgJvZ0rI60KpXPdQB6jKQIn8+/2ywADLx3QADhZ4oAABTDrAAADeRtg
In-Reply-To: <FF29F13E2D78C047B4B79F4E062D0363387968@CORPUSMX20A.corp.emc.com>
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=8845; t=1191974656; x=1192838656; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[tsv-area]=20BOF=20request=20under=20consideration=3A =20SAFE |Sender:=20; bh=gFi8lE/e4tiQrT3GUpMMxIzKPMaQSHsFJ/RtKLk7l6I=; b=HS5DAKrQml80MtMt4Bh+kfdnYLRdUr61nATlMoe2LQUUPOuepcUq51LB1NvB/9ulfKYyJqDi D6hFDmx5hMULzTVeYhdDrcApBuCWzIAPO3C5WhZS//+bpbkQcZzlvBoF;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: e367d58950869b6582535ddf5a673488
Cc: safe@ietf.org, tsv-area@ietf.org
Subject: [SAFE] RE: [tsv-area] BOF request under consideration: SAFE
X-BeenThere: safe@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Self-Address Fixing Evolution <safe.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/safe>
List-Post: <mailto:safe@ietf.org>
List-Help: <mailto:safe-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=subscribe>
Errors-To: safe-bounces@ietf.org

Thanks for the pointer.  I read RFC4306 section 2.23, and IKE
(and IPsec) could benefit from reduced keepalive traffic if it
knew how often to send the keeaplive.  It could learn or adjust
the keepalive interval using UPnP, STUN Control, NAT-PMP, etc.

So, the IPsec/IKE UDP-based NAT traversal technique is another 
thing that could benefit from knowing the NAT binding lifetime 
-- much like SIP-Outbound benefits from knowing the NAT binding 
lifetime and is able to reduce keepalive traffic.

So, I think I'll mention this reduction of IPsec keepalive 
traffic is another benefit that STUN Control could bring.  In
that light, I added the following to the soon-to-be-published
draft-wing-behave-nat-control-stun-usage-04.txt:

   2.4.  Reduce IPsec keepalive messages

   STUN Control is also able to reduce keepalive traffic for non-STUN
   protocols.  In Section 4 of [RFC3948], it is suggested that IPsec
   keepalive packets be sent every 20 seconds if an on-path NAT is
   detected.  If a host and its NAT were to implement STUN Control, the
   host can query and control the NAT's binding lifetime, and thus
   reduce the NAT keepalive traffic.  This reduction in keepalive
   traffic would slightly reduce the load on its IPsec concentrator.

-d


> -----Original Message-----
> From: Black_David@emc.com [mailto:Black_David@emc.com] 
> Sent: Tuesday, October 09, 2007 3:11 PM
> To: dwing@cisco.com
> Cc: magnus.westerlund@ericsson.com; tsv-area@ietf.org; safe@ietf.org
> Subject: RE: [tsv-area] BOF request under consideration: SAFE
> 
> Dan,
> 
> Section 2.23 of RFC 4306 is also part of this technology.
> 
> I'm also not sure how any of this applies to the BoF.  The
> BoF proposal should probably contain a few sentences to
> say that IPsec NAT Traversal is a different problem,
> including a brief explanation of why it's different, and
> state that therefore it's outside the scope of the BoF.
> 
> Thanks,
> --David
> ----------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 176 South St., Hopkinton, MA  01748
> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> black_david@emc.com        Mobile: +1 (978) 394-7754
> ----------------------------------------------------
> 
> > -----Original Message-----
> > From: Dan Wing [mailto:dwing@cisco.com] 
> > Sent: Tuesday, October 09, 2007 3:43 PM
> > To: Black, David
> > Cc: magnus.westerlund@ericsson.com; tsv-area@ietf.org; safe@ietf.org
> > Subject: RE: [tsv-area] BOF request under consideration: SAFE
> > 
> > Hi, David.  
> > 
> > I am aware of IPsec-over-UDP (RFC3947, RFC3948), but I'm not sure 
> > how it applies in a comparison of MIDCOM, UPnP, NSIS-NSLP, 
> > NAT-PMP, and STUN/ICE.
> > 
> > -d
> > 
> > 
> > > -----Original Message-----
> > > From: Black_David@emc.com [mailto:Black_David@emc.com] 
> > > Sent: Monday, October 08, 2007 9:52 AM
> > > To: magnus.westerlund@ericsson.com; tsv-area@ietf.org; 
> safe@ietf.org
> > > Cc: Black_David@emc.com
> > > Subject: RE: [tsv-area] BOF request under consideration: SAFE
> > > 
> > > Magnus,
> > > 
> > > IKE and IKEv2 NAT Traversal for IPsec (also widely deployed, e.g.,
> > > I believe my VPN client is using it to send this message ;-) ...)
> > > are not on the list of related technologies.  This might be an
> > > omission, but I suspect that the (assumed) problem definition
> > > for SAFE may exclude IPsec (e.g., IKE and IKEv2 have a different
> > > security model for which a server like the STUN server may be
> > > problematic).  This should be clarified.
> > > 
> > > Thanks,
> > > --David
> > > ----------------------------------------------------
> > > David L. Black, Senior Technologist
> > > EMC Corporation, 176 South St., Hopkinton, MA  01748
> > > +1 (508) 293-7953             FAX: +1 (508) 293-7786
> > > black_david@emc.com        Mobile: +1 (978) 394-7754
> > > ----------------------------------------------------
> > > 
> > > > -----Original Message-----
> > > > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com] 
> > > > Sent: Monday, October 08, 2007 11:09 AM
> > > > To: TSV Area; Behave WG; mmusic (E-mail)
> > > > Subject: [tsv-area] BOF request under consideration: SAFE
> > > > 
> > > > Hi,
> > > > 
> > > > We ADs have received a request for a BOF in Vancouver: SAFE -
> > > > Self-Address Fixing Evolution. See description below. I would
> > > appreciate
> > > > any feedback on this. For public discussion please use the SAFE
> > > mailing
> > > > list.
> > > > 
> > > > Post: safe@ietf.org
> > > > Subscribe: https://www1.ietf.org/mailman/listinfo/safe
> > > > 
> > > > Draft:
> > > >
> > > http://www.ietf.org/internet-drafts/draft-wing-behave-nat-cont
> > > rol-stun-u
> > > sage-03.txt
> > > > 
> > > > 
> > > > SAFE - Self-Address Fixing Evolution
> > > > ------------------------------------
> > > > 
> > > > Chairs:
> > > >   TBD
> > > > 
> > > > 
> > > > ICE and its companion protocol STUN have been successfully 
> > > deployed on
> > > > the Internet for NAT traversal.  ICE and STUN have several
> > > characteristics
> > > > which contribute to their success:
> > > > 
> > > >   1. incremental deployment.  ICE and STUN are functional 
> > > without any
> > > >      modifications to existing NATs.
> > > >   2. nested NATs.  ICE and STUN work when there are 
> multiple NATs
> > > >      between a host and the Internet.
> > > >   3. topology unaware.  ICE and STUN are not configured with
> > > >      information about NATs, firewalls, or their 
> locations -- only
> > > >      with the IP address of a server on the Internet.
> > > >   4. simple security model.  If a host behind a NAT is 
> > > allowed to send
> > > >      a packet across the NAT, it is allowed to receive 
> a response.
> > > >   5. works on routed networks, which allows operation in both
> > > >      enterprise networks and home networks.
> > > > 
> > > > Other NAT traversal protocols do not share these 
> characteristics,
> > > > which hinders their widespread deployment.  Specifically,
> > > > 
> > > >   * incremental deployment is not possible with MIDCOM, 
> NSIS-NSLP,
> > > >     UPnP, or Bonjour.  With all of these protocols, both the NAT
> > > >     and the endpoint have to support the same protocol.
> > > >   * nested NATs are not possible with UPnP or Bonjour.
> > > >   * topology awareness is required of MIDCOM.
> > > >   * security must be established between the controlling entity
> > > >     and the NAT for MIDCOM and NSIS-NSLP.
> > > >   * Both UPnP and Bonjour use broadcast packets which don't work
> > > >     well on routed networks.
> > > > 
> > > > However, a drawback of ICE/STUN is its chatty keepalive traffic,
> > > > which is a result of STUN not knowing the binding 
> lifetime of its
> > > > on-path NATs.  This chattiness causes a burden on servers and
> > > > consumes network bandwidth, which is especially critical 
> > on wireless
> > > > networks.  It is desirable to reduce this chattiness while still
> > > > retaining the important characteristics of STUN and ICE.
> > > > 
> > > > This BoF is intended to discuss one proposed technique,
> > > > draft-wing-behave-nat-control-stun-usage, which nearly 
> eliminates
> > > > STUN's keepalive chatter and still preserves the desirable
> > > > characteristics of STUN/ICE.
> > > > 
> > > > The purpose of this BoF is to create a working group for 
> > > this effort.
> > > > 
> > > > 
> > > > Agenda:
> > > >   Introduction, Agenda ....................................  5
> > > >   Summary of existing NAT traversal techniques ............ 40
> > > >    (UPnP, NAT-PMP/Bonjour, MIDCOM techniques, NSIS-NSLP, ICE)
> > > >   draft-wing-behave-nat-control-stun-usage ................ 40
> > > >   Q&A ..................................................... 25
> > > >                                                     ----------
> > > >                                                     total: 110
> > > > 
> > > > Cheers
> > > > 
> > > > Magnus Westerlund
> > > > 
> > > > IETF Transport Area Director & TSVWG Chair
> > > > 
> > > 
> > 
> ----------------------------------------------------------------------
> > > > Multimedia Technologies, Ericsson Research EAB/TVM/M
> > > > 
> > > 
> > 
> ----------------------------------------------------------------------
> > > > Ericsson AB                | Phone +46 8 4048287
> > > > Torshamsgatan 23           | Fax   +46 8 7575550
> > > > S-164 80 Stockholm, Sweden | mailto: 
> > magnus.westerlund@ericsson.com
> > > > 
> > > 
> > 
> ----------------------------------------------------------------------
> > > > 
> > > > 
> > > > 
> > > > 
> > 
> > 


_______________________________________________
SAFE mailing list
SAFE@ietf.org
https://www1.ietf.org/mailman/listinfo/safe

v2.23.0 | Report a Bug | By Email