IETF Logo Mail Archive

Re: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues

<pierre.levis@orange-ftgroup.com> Tue, 02 March 2010 06:41 UTC

Return-Path: <pierre.levis@orange-ftgroup.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A54963A7DD9 for <shara@core3.amsl.com>; Mon, 1 Mar 2010 22:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSBk5eSDgGhH for <shara@core3.amsl.com>; Mon, 1 Mar 2010 22:41:48 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias245.francetelecom.com [80.12.204.245]) by core3.amsl.com (Postfix) with ESMTP id 72B273A8B16 for <shara@ietf.org>; Mon, 1 Mar 2010 22:41:46 -0800 (PST)
Received: from omfeda07.si.francetelecom.fr (unknown [xx.xx.xx.200]) by omfeda10.si.francetelecom.fr (ESMTP service) with ESMTP id AE4A2374792; Tue, 2 Mar 2010 07:41:45 +0100 (CET)
Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by omfeda07.si.francetelecom.fr (ESMTP service) with ESMTP id 8E631158045; Tue, 2 Mar 2010 07:41:45 +0100 (CET)
Received: from ftrdmel0.rd.francetelecom.fr ([10.192.128.56]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.3959); Tue, 2 Mar 2010 07:41:45 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 02 Mar 2010 07:41:44 +0100
Message-ID: <22201_1267512105_4B8CB329_22201_305989_1_F1A741D65FFEF6489D607B26ABA0ED5701A5DA81@ftrdmel0.rd.francetelecom.fr>
In-Reply-To: <4233_1267439756_4B8B988C_4233_6698_1_94C682931C08B048B7A8645303FDC9F30EFAFF530F@PUEXCB1B.nanterre.francetelecom.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
Thread-Index: Acq5Kvj2gX0kmXnPSxGusAebQamD+gAKpK6w
References: <4233_1267439756_4B8B988C_4233_6698_1_94C682931C08B048B7A8645303FDC9F30EFAFF530F@PUEXCB1B.nanterre.francetelecom.fr>
From: pierre.levis@orange-ftgroup.com
To: dthaler@microsoft.com, shara@ietf.org
X-OriginalArrivalTime: 02 Mar 2010 06:41:45.0845 (UTC) FILETIME=[6D6B0A50:01CAB9D3]
X-PMX-Version: 5.5.7.378829, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.3.2.54225
Subject: Re: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 06:41:52 -0000

Hi all,

I'd like to refocus I-D.thaler-port-restricted-ip-issues on the subject that was discussed in Hiroshima during the aplusp BoF.

Dave's draft is exclusively focussed on A+P directly applied to hosts, as clearly stated in the abstract:
"This document discusses issues with assigning an IP address to a host
interface such that the IP address may only be used with a restricted
set of ports."

Dave explicitly concludes that other A+P approaches (A+P in CPEs is the dominant one), are not covered by these issues:
"The primary cause of the issues unique to port-restricted IP addresses comes from assigning such an address to
a device's interface.  This concept does not occur in classic NAT.
...
It is possible that the same state benefits motivating the concept of port-
restricted IP addresses may be possible in other approaches that do
not involve assigning a port-restricted IP address to an interface, 
but this investigation is left to other documents"

If you go back to the introductory slides of the aplusp BoF, it is also clear that A+P directly in hosts was out of the scope:
"Host-based A+P brings additional complexity" in slide 5 of 01-agenda.ppt


So, from the strict aplusp BoF point of view, this draft brings no objection on continuing the A+P work at the IETF.



Regards,

Pierre



-----Message d'origine-----
De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] De la part de mohamed.boucadair@orange-ftgroup.com
Envoyé : lundi 1 mars 2010 11:36
À : dthaler@microsoft.com
Cc : shara@ietf.org
Objet : [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues


Dear Dave,

In your draft, you wrote: "To actually apply a port restriction, host stack implementations
   would need to change.  Without such a change, a host may naturally
   attempt to use the IP address with arbitrary protocols and ports,
   which would be akin to address spoofing in a port-restricted IP
   address model."

For fixed networks, several scenarios for the deployment of port restriction may be considered. Host-based model is one flavour among others.
 
For the CPE-based model, port-restriction features are not required to be supported by the hosts behind the CPE since port-restriction are to be enforced in the CPE: No changes are required for the hosts in such scenario.

For the host-based model (e.g., mobile networks), I agree that port-restriction feature is required to be supported by the host. Some modifications are needed (FYI, port-restriction feature may be activated by entering two IPTABLES lines in Linux-based Oses.). These modifications are to be positioned against expected gains such as:

- Battery consumption for mobile devices because keepalive messages to maintain NAT entries are avoided (in NAT-based solutions, "Always-on" services would impact severely the battery consumption. Not to mention several layers of keepalive messages: e.g., IPsec, SIP )
- No need to embed ALG in intermediary nodes. 
- No need to embed NAT traversal technique in the host
- No latency due to retrieving the perceived IPv4 public address (to be assigned by the NAT)
- Session tracking issues: It is not required to maintain per-session tracking information (legal requirement)
- Etc.  

Cheers,
Med

*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

_______________________________________________
shara mailing list
shara@ietf.org
https://www.ietf.org/mailman/listinfo/shara

*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

v2.23.0 | Report a Bug | By Email