[secdir] Review of draft-ymbk-aplusp-08

Tina Tsou <tena@huawei.com> Tue, 25 January 2011 21:27 UTC

Return-Path: <tena@huawei.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9A543A68B1; Tue, 25 Jan 2011 13:27:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.237
X-Spam-Level:
X-Spam-Status: No, score=-106.237 tagged_above=-999 required=5 tests=[AWL=0.362, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6s2su1Enpefb; Tue, 25 Jan 2011 13:27:32 -0800 (PST)
Received: from usaga02-in.huawei.com (usaga02-in.huawei.com [206.16.17.70]) by core3.amsl.com (Postfix) with ESMTP id 8D3B43A68C6; Tue, 25 Jan 2011 13:27:32 -0800 (PST)
Received: from huawei.com (localhost [127.0.0.1]) by usaga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LFL00KLGL2UFA@usaga02-in.huawei.com>; Tue, 25 Jan 2011 13:30:31 -0800 (PST)
Received: from TingZousc1 ([10.212.245.166]) by usaga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0LFL00CLMKYGRG@usaga02-in.huawei.com>; Tue, 25 Jan 2011 13:30:30 -0800 (PST)
Date: Tue, 25 Jan 2011 13:27:56 -0800
From: Tina Tsou <tena@huawei.com>
To: ops-dir@ietf.org, secdir@ietf.org
Message-id: <01a201cbbcd7$197946c0$4c6bd440$@com>
MIME-version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Content-type: text/plain; charset=ISO-8859-1
Content-language: en-us
Content-transfer-encoding: quoted-printable
Thread-index: Acu81rPbyWvC8QjGT6iixeTbXkVESw==
x-cr-hashedpuzzle: Kb73 N1+x QaCS SRUO X9iC a/5H iiZT ohFD ooWx pZsn pgCe tH+x uHtg xbaB yRyF 8PCf; 5; ZAByAGEAZgB0AC0AeQBtAGIAawAtAGEAcABsAHUAcwBwAEAAdABvAG8AbABzAC4AaQBlAHQAZgAuAG8AcgBnADsAaQBlAHMAZwBAAGkAZQB0AGYALgBvAHIAZwA7AGkAZQB0AGYAQABpAGUAdABmAC4AbwByAGcAOwBvAHAAcwAtAGQAaQByAEAAaQBlAHQAZgAuAG8AcgBnADsAcwBlAGMAZABpAHIAQABpAGUAdABmAC4AbwByAGcA; Sosha1_v1; 7; {94249E4E-AC6C-4722-8559-B0DA304CD2B0}; dABlAG4AYQBAAGgAdQBhAHcAZQBpAC4AYwBvAG0A; Tue, 25 Jan 2011 21:27:43 GMT; UgBlAHYAaQBlAHcAIABvAGYAIABkAHIAYQBmAHQALQB5AG0AYgBrAC0AYQBwAGwAdQBzAHAALQAwADgA
x-cr-puzzleid: {94249E4E-AC6C-4722-8559-B0DA304CD2B0}
Cc: iesg@ietf.org, draft-ymbk-aplusp@tools.ietf.org, ietf@ietf.org
Subject: [secdir] Review of draft-ymbk-aplusp-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 21:27:34 -0000

I reviewed the document draft-ymbk-aplusp-08 in general.
 
Operations directorate and Security directorate reviews are solicited
primarily to help the area directors improve their efficiency, particularly
when preparing for IESG telechats, and allowing them to focus on documents
requiring their attention and spend less time on the trouble-free ones.

Improving the documents is important, but clearly a secondary purpose.
A third purpose is to broaden the OpsDir reviewers' exposure to work going
on in other parts of the IETF.
 
Reviews from OpsDir/SecDir members do not in and of themselves cause the
IESG to raise issue with a document. The reviews may, however, convince
individual IESG members to raise concern over a particular document
requiring further discussion. The reviews, particularly those conducted in
last call and earlier, may also help the document editors improve their
documents.
 
-----
This document is well written, though there may be some nits.

Comment #1:
In Abstract section this draft proposes an IPv4 address sharing scheme,
treating some of the port number bits as part of an extended IPv4 address.
A SOHO CPE (A+P) may provide with website service. When a host in external
network accesses this website, what information that DNS servers feedback to
host? If it is an IP address, it can't uniquely identify the CPE. If it is
IP + port range, how can host recognize this and process? If it is IP + some
a Port, how can DNS server know when port changed? 
Some Operators identify services by five elements include UDP/TCP well-known
ports when CPE is an unreliable device. If well-known ports changed, service
can't be recognized.

Comment #2:
Abstract section,
"In the face of IPv4 address exhaustion, the need for addresses is stronger
than the need to be able to address thousands of applications on a single
host."
- This viewpoint is not always true. During the transition from IPv4 to
IPv6, some set of operators do not want the services are affected, which may
result some customers lost. A smoothly transition technology is more
favorable.

Comment #3:
Section 1.1 says: Another issue with CGN is the trade-off between session
state and network placement.
- If there are too many session state to keep, two CGN or more can be
placed. A distributed CGN may be a good choice. And single point of failure
can be resolved

Comment #4:
In section 3.3.1, it says: different port-ranges can have different
lifetimes, and the CPE is not entitled to use them after they expire what is
the appropriate lifetime for a port-rang?  When for P2P application, many
ports are used. In a short-term period, when for some fixed service (e.g.
site), a port may be used for many years. Will the server allocate port
according application? Or else there is some security problem or port
efficient allocation. For the more, port allocation will make more burdens
for server because of large number s of ports and high frequency
requisition.

Comment #5:
SMAP (stateless A+P Mapping) is proposed in section 4.1, IPv4 address and
port is embedded in the IPv6 address – which would be used to create a
tunnel. 
- In section 5.2, “Dynamic Allocation of Port Ranges” is proposed. What if
the allocated ports do not belong to a single IP address? The SMAP mechanism
may not work in this case. 
- The IPv6 address would follow the format defined in
[I-D.ietf-behave-address-format], but port is not included in the address
formats defined by that draft. Any plan to define the address format?

Here is the format defined in [I-D.ietf-behave-address-format]:


    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |PL| 0-------------32--40--48--56--64--72--80--88--96--104---------|
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |32|     prefix    |v4(32)         | u | suffix                    |
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |40|     prefix        |v4(24)     | u |(8)| suffix                |
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |48|     prefix            |v4(16) | u | (16)  | suffix            |
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |56|     prefix                |(8)| u |  v4(24)   | suffix        |
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |64|     prefix                    | u |   v4(32)      | suffix    |
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
    |96|     prefix                                    |    v4(32)     |
    +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
						
						Figure 1


Comment #6:
In section 5.1.2 A+P for Mobile Providers 
- If A+P is implemented in a terminal device, e.g. mobile phone and PC,
there might be some problems, e.g. ARP problem – terminal would not be able
to send packets to other terminals sharing the same IP address with itself. 
- Any thoughts about the solution? A new NAT layer between the IP and
TCU/UDP layer in the stack?


Comment #7:
Section 5.2, it says: mechanism can allocate a port range from another IP
within the same subnet.
- For example, an internal host1 communicate with an external host2. At
first CPE allocates IP1 and a port for some a session. During the
communication, more sessions are built and there are no more ports in IP1.
If IP2 is used for session, the packet may be discarded by host2.
There may be some errors. Where does 198.51.100.3 come? I can't find it in
Figure 15.



Best Regards,
Tina TSOU
http://tinatsou.weebly.com/contact.html