IETF Logo Mail Archive

RE: [SAFE] RE: [tsv-area] BOF request under consideration: SAFE

<Markus.Isomaki@nokia.com> Thu, 11 October 2007 10:39 UTC

Return-path: <safe-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfvRb-0001AO-Er; Thu, 11 Oct 2007 06:39:07 -0400
Received: from safe by megatron.ietf.org with local (Exim 4.43) id 1IfvRb-0001AE-2P for safe-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 06:39:07 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfvRW-00016C-7i; Thu, 11 Oct 2007 06:39:02 -0400
Received: from smtp.nokia.com ([131.228.20.171] helo=mgw-ext12.nokia.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IfvRU-0004qs-II; Thu, 11 Oct 2007 06:39:02 -0400
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-ext12.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l9BAcqDl022675; Thu, 11 Oct 2007 13:38:52 +0300
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 11 Oct 2007 13:38:51 +0300
Received: from esebe101.NOE.Nokia.com ([172.21.138.215]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 11 Oct 2007 13:22:29 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [SAFE] RE: [tsv-area] BOF request under consideration: SAFE
Date: Thu, 11 Oct 2007 13:22:27 +0300
Message-ID: <C84E0A4ABA6DD74DA5221E0833A35DF30A068FB2@esebe101.NOE.Nokia.com>
In-Reply-To: <0c6101c80ad1$189dda60$c3f0200a@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [SAFE] RE: [tsv-area] BOF request under consideration: SAFE
Thread-Index: AcgJvZ0rI60KpXPdQB6jKQIn8+/2ywADLx3QADhZ4oAABTDrAAADeRtgAEgK72A=
References: <470A480C.4040506@ericsson.com><FF29F13E2D78C047B4B79F4E062D0363387938@CORPUSMX20A.corp.emc.com><09ec01c80aac$9bf1d8f0$c3f0200a@cisco.com><FF29F13E2D78C047B4B79F4E062D0363387968@CORPUSMX20A.corp.emc.com> <0c6101c80ad1$189dda60$c3f0200a@cisco.com>
From: Markus.Isomaki@nokia.com
To: dwing@cisco.com, Black_David@emc.com
X-OriginalArrivalTime: 11 Oct 2007 10:22:29.0131 (UTC) FILETIME=[A0685DB0:01C80BF0]
X-Nokia-AV: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f8ee348dcc4be4a59bc395f7cd6343ad
Cc: safe@ietf.org, tsv-area@ietf.org
X-BeenThere: safe@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Self-Address Fixing Evolution <safe.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/safe>
List-Post: <mailto:safe@ietf.org>
List-Help: <mailto:safe-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/safe>, <mailto:safe-request@ietf.org?subject=subscribe>
Errors-To: safe-bounces@ietf.org

Hi,

STUN control would be able to reduce keepalive traffic for all UDP-based
applications or UDP encapsultated protocols. In addition to IPSec/IKE,
there are also other protocols such as DSMIPv6 and Teredo, that use UDP
encapsulation to work through NATs. So, one clear use case for STUN
control is to optimize how any of those protocols work through NATs.

IPSec VPNs are of special interest as they are already widely used. For
instance you can try to run a VPN connection on any handheld device in
any wide-area radio network (CDMA EV-DO, WCDMA, EDGE, WiMAX) and see how
long the battery on the device will last. Most of the battery is
consumed by NAT keepalives sent every 20 to 120 seconds while there is
no real traffic to send. Optimizing this should be of interest to: 
a) users (get their work done before the battery dies) 
b) enterprises (allow their employees get their work done while on the
road) 
c) handheld device vendors (make VPN usable in the devices) 
d) wireless operators (make VPN usable in their network) 
e) NAT vendors (sell boxes that meet the reqs of the above groups)

In the long run any IPv6 over IPv4 solutions might also become necessary
for mobile hosts and they will face the same UDP NAT problem. 

Markus
 

>-----Original Message-----
>From: ext Dan Wing [mailto:dwing@cisco.com] 
>Sent: 10 October, 2007 03:04
>To: Black_David@emc.com
>Cc: safe@ietf.org; tsv-area@ietf.org
>Subject: [SAFE] RE: [tsv-area] BOF request under consideration: SAFE
>
>Thanks for the pointer.  I read RFC4306 section 2.23, and IKE 
>(and IPsec) could benefit from reduced keepalive traffic if it 
>knew how often to send the keeaplive.  It could learn or 
>adjust the keepalive interval using UPnP, STUN Control, NAT-PMP, etc.
>
>So, the IPsec/IKE UDP-based NAT traversal technique is another 
>thing that could benefit from knowing the NAT binding lifetime
>-- much like SIP-Outbound benefits from knowing the NAT 
>binding lifetime and is able to reduce keepalive traffic.
>
>So, I think I'll mention this reduction of IPsec keepalive 
>traffic is another benefit that STUN Control could bring.  In 
>that light, I added the following to the soon-to-be-published
>draft-wing-behave-nat-control-stun-usage-04.txt:
>
>   2.4.  Reduce IPsec keepalive messages
>
>   STUN Control is also able to reduce keepalive traffic for non-STUN
>   protocols.  In Section 4 of [RFC3948], it is suggested that IPsec
>   keepalive packets be sent every 20 seconds if an on-path NAT is
>   detected.  If a host and its NAT were to implement STUN Control, the
>   host can query and control the NAT's binding lifetime, and thus
>   reduce the NAT keepalive traffic.  This reduction in keepalive
>   traffic would slightly reduce the load on its IPsec concentrator.
>
>-d
>
>
>> -----Original Message-----
>> From: Black_David@emc.com [mailto:Black_David@emc.com]
>> Sent: Tuesday, October 09, 2007 3:11 PM
>> To: dwing@cisco.com
>> Cc: magnus.westerlund@ericsson.com; tsv-area@ietf.org; safe@ietf.org
>> Subject: RE: [tsv-area] BOF request under consideration: SAFE
>> 
>> Dan,
>> 
>> Section 2.23 of RFC 4306 is also part of this technology.
>> 
>> I'm also not sure how any of this applies to the BoF.  The BoF 
>> proposal should probably contain a few sentences to say that 
>IPsec NAT 
>> Traversal is a different problem, including a brief 
>explanation of why 
>> it's different, and state that therefore it's outside the 
>scope of the 
>> BoF.
>> 
>> Thanks,
>> --David
>> ----------------------------------------------------
>> David L. Black, Senior Technologist
>> EMC Corporation, 176 South St., Hopkinton, MA  01748
>> +1 (508) 293-7953             FAX: +1 (508) 293-7786
>> black_david@emc.com        Mobile: +1 (978) 394-7754
>> ----------------------------------------------------
>> 
>> > -----Original Message-----
>> > From: Dan Wing [mailto:dwing@cisco.com]
>> > Sent: Tuesday, October 09, 2007 3:43 PM
>> > To: Black, David
>> > Cc: magnus.westerlund@ericsson.com; tsv-area@ietf.org; 
>safe@ietf.org
>> > Subject: RE: [tsv-area] BOF request under consideration: SAFE
>> > 
>> > Hi, David.  
>> > 
>> > I am aware of IPsec-over-UDP (RFC3947, RFC3948), but I'm not sure 
>> > how it applies in a comparison of MIDCOM, UPnP, NSIS-NSLP, 
>NAT-PMP, 
>> > and STUN/ICE.
>> > 
>> > -d
>> > 
>> > 
>> > > -----Original Message-----
>> > > From: Black_David@emc.com [mailto:Black_David@emc.com]
>> > > Sent: Monday, October 08, 2007 9:52 AM
>> > > To: magnus.westerlund@ericsson.com; tsv-area@ietf.org;
>> safe@ietf.org
>> > > Cc: Black_David@emc.com
>> > > Subject: RE: [tsv-area] BOF request under consideration: SAFE
>> > > 
>> > > Magnus,
>> > > 
>> > > IKE and IKEv2 NAT Traversal for IPsec (also widely 
>deployed, e.g., 
>> > > I believe my VPN client is using it to send this message 
>;-) ...) 
>> > > are not on the list of related technologies.  This might be an 
>> > > omission, but I suspect that the (assumed) problem 
>definition for 
>> > > SAFE may exclude IPsec (e.g., IKE and IKEv2 have a different 
>> > > security model for which a server like the STUN server may be 
>> > > problematic).  This should be clarified.
>> > > 
>> > > Thanks,
>> > > --David
>> > > ----------------------------------------------------
>> > > David L. Black, Senior Technologist EMC Corporation, 176 South 
>> > > St., Hopkinton, MA  01748
>> > > +1 (508) 293-7953             FAX: +1 (508) 293-7786
>> > > black_david@emc.com        Mobile: +1 (978) 394-7754
>> > > ----------------------------------------------------
>> > > 
>> > > > -----Original Message-----
>> > > > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com]
>> > > > Sent: Monday, October 08, 2007 11:09 AM
>> > > > To: TSV Area; Behave WG; mmusic (E-mail)
>> > > > Subject: [tsv-area] BOF request under consideration: SAFE
>> > > > 
>> > > > Hi,
>> > > > 
>> > > > We ADs have received a request for a BOF in Vancouver: SAFE - 
>> > > > Self-Address Fixing Evolution. See description below. I would
>> > > appreciate
>> > > > any feedback on this. For public discussion please use the SAFE
>> > > mailing
>> > > > list.
>> > > > 
>> > > > Post: safe@ietf.org
>> > > > Subscribe: https://www1.ietf.org/mailman/listinfo/safe
>> > > > 
>> > > > Draft:
>> > > >
>> > > http://www.ietf.org/internet-drafts/draft-wing-behave-nat-cont
>> > > rol-stun-u
>> > > sage-03.txt
>> > > > 
>> > > > 
>> > > > SAFE - Self-Address Fixing Evolution
>> > > > ------------------------------------
>> > > > 
>> > > > Chairs:
>> > > >   TBD
>> > > > 
>> > > > 
>> > > > ICE and its companion protocol STUN have been successfully
>> > > deployed on
>> > > > the Internet for NAT traversal.  ICE and STUN have several
>> > > characteristics
>> > > > which contribute to their success:
>> > > > 
>> > > >   1. incremental deployment.  ICE and STUN are functional
>> > > without any
>> > > >      modifications to existing NATs.
>> > > >   2. nested NATs.  ICE and STUN work when there are
>> multiple NATs
>> > > >      between a host and the Internet.
>> > > >   3. topology unaware.  ICE and STUN are not configured with
>> > > >      information about NATs, firewalls, or their
>> locations -- only
>> > > >      with the IP address of a server on the Internet.
>> > > >   4. simple security model.  If a host behind a NAT is
>> > > allowed to send
>> > > >      a packet across the NAT, it is allowed to receive
>> a response.
>> > > >   5. works on routed networks, which allows operation in both
>> > > >      enterprise networks and home networks.
>> > > > 
>> > > > Other NAT traversal protocols do not share these
>> characteristics,
>> > > > which hinders their widespread deployment.  Specifically,
>> > > > 
>> > > >   * incremental deployment is not possible with MIDCOM,
>> NSIS-NSLP,
>> > > >     UPnP, or Bonjour.  With all of these protocols, 
>both the NAT
>> > > >     and the endpoint have to support the same protocol.
>> > > >   * nested NATs are not possible with UPnP or Bonjour.
>> > > >   * topology awareness is required of MIDCOM.
>> > > >   * security must be established between the controlling entity
>> > > >     and the NAT for MIDCOM and NSIS-NSLP.
>> > > >   * Both UPnP and Bonjour use broadcast packets which 
>don't work
>> > > >     well on routed networks.
>> > > > 
>> > > > However, a drawback of ICE/STUN is its chatty 
>keepalive traffic, 
>> > > > which is a result of STUN not knowing the binding
>> lifetime of its
>> > > > on-path NATs.  This chattiness causes a burden on servers and 
>> > > > consumes network bandwidth, which is especially critical
>> > on wireless
>> > > > networks.  It is desirable to reduce this chattiness 
>while still 
>> > > > retaining the important characteristics of STUN and ICE.
>> > > > 
>> > > > This BoF is intended to discuss one proposed technique, 
>> > > > draft-wing-behave-nat-control-stun-usage, which nearly
>> eliminates
>> > > > STUN's keepalive chatter and still preserves the desirable 
>> > > > characteristics of STUN/ICE.
>> > > > 
>> > > > The purpose of this BoF is to create a working group for
>> > > this effort.
>> > > > 
>> > > > 
>> > > > Agenda:
>> > > >   Introduction, Agenda ....................................  5
>> > > >   Summary of existing NAT traversal techniques ............ 40
>> > > >    (UPnP, NAT-PMP/Bonjour, MIDCOM techniques, NSIS-NSLP, ICE)
>> > > >   draft-wing-behave-nat-control-stun-usage ................ 40
>> > > >   Q&A ..................................................... 25
>> > > >                                                     ----------
>> > > >                                                     total: 110
>> > > > 
>> > > > Cheers
>> > > > 
>> > > > Magnus Westerlund
>> > > > 
>> > > > IETF Transport Area Director & TSVWG Chair
>> > > > 
>> > > 
>> > 
>> 
>----------------------------------------------------------------------
>> > > > Multimedia Technologies, Ericsson Research EAB/TVM/M
>> > > > 
>> > > 
>> > 
>> 
>----------------------------------------------------------------------
>> > > > Ericsson AB                | Phone +46 8 4048287
>> > > > Torshamsgatan 23           | Fax   +46 8 7575550
>> > > > S-164 80 Stockholm, Sweden | mailto: 
>> > magnus.westerlund@ericsson.com
>> > > > 
>> > > 
>> > 
>> 
>----------------------------------------------------------------------
>> > > > 
>> > > > 
>> > > > 
>> > > > 
>> > 
>> > 
>
>
>_______________________________________________
>SAFE mailing list
>SAFE@ietf.org
>https://www1.ietf.org/mailman/listinfo/safe
>


_______________________________________________
SAFE mailing list
SAFE@ietf.org
https://www1.ietf.org/mailman/listinfo/safe

v2.23.0 | Report a Bug | By Email