Re: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
Dave Thaler <dthaler@microsoft.com> Tue, 02 March 2010 17:09 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A2983A87DF for <shara@core3.amsl.com>; Tue, 2 Mar 2010 09:09:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEQ31W8t4Xgr for <shara@core3.amsl.com>; Tue, 2 Mar 2010 09:09:02 -0800 (PST)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id 1FF3B3A8B78 for <shara@ietf.org>; Tue, 2 Mar 2010 09:09:02 -0800 (PST)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 2 Mar 2010 09:09:03 -0800
Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.0.639.21; Tue, 2 Mar 2010 09:09:03 -0800
Received: from TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.63]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi; Tue, 2 Mar 2010 09:09:01 -0800
From: Dave Thaler <dthaler@microsoft.com>
To: "pierre.levis@orange-ftgroup.com" <pierre.levis@orange-ftgroup.com>, "shara@ietf.org" <shara@ietf.org>
Thread-Topic: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
Thread-Index: AQHKudOGQaBzfwjk8kKwlj3f0NnQNZHe4SZA
Date: Tue, 02 Mar 2010 17:08:56 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF65138ECE7C@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
References: <4233_1267439756_4B8B988C_4233_6698_1_94C682931C08B048B7A8645303FDC9F30EFAFF530F@PUEXCB1B.nanterre.francetelecom.fr> <22201_1267512105_4B8CB329_22201_305989_1_F1A741D65FFEF6489D607B26ABA0ED5701A5DA81@ftrdmel0.rd.francetelecom.fr>
In-Reply-To: <22201_1267512105_4B8CB329_22201_305989_1_F1A741D65FFEF6489D607B26ABA0ED5701A5DA81@ftrdmel0.rd.francetelecom.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 17:09:03 -0000
See also the second paragraph of section 4. Other sections (5, 6) also apply to a CPE-only model. So it is incorrect to say that this draft raises no issues with such a model. Classic NAT != the CPE model here. -Dave > -----Original Message----- > From: pierre.levis@orange-ftgroup.com [mailto:pierre.levis@orange- > ftgroup.com] > Sent: Monday, March 01, 2010 10:42 PM > To: Dave Thaler; shara@ietf.org > Cc: mohamed.boucadair@orange-ftgroup.com > Subject: RE: [shara] draft-thaler-port-restricted-ip-issues: Host > ImplementationIssues > > Hi all, > > I'd like to refocus I-D.thaler-port-restricted-ip-issues on the subject > that was discussed in Hiroshima during the aplusp BoF. > > Dave's draft is exclusively focussed on A+P directly applied to hosts, > as clearly stated in the abstract: > "This document discusses issues with assigning an IP address to a host > interface such that the IP address may only be used with a restricted > set of ports." > > Dave explicitly concludes that other A+P approaches (A+P in CPEs is the > dominant one), are not covered by these issues: > "The primary cause of the issues unique to port-restricted IP addresses > comes from assigning such an address to > a device's interface. This concept does not occur in classic NAT. > ... > It is possible that the same state benefits motivating the concept of > port- > restricted IP addresses may be possible in other approaches that do > not involve assigning a port-restricted IP address to an interface, > but this investigation is left to other documents" > > If you go back to the introductory slides of the aplusp BoF, it is also > clear that A+P directly in hosts was out of the scope: > "Host-based A+P brings additional complexity" in slide 5 of 01- > agenda.ppt > > > So, from the strict aplusp BoF point of view, this draft brings no > objection on continuing the A+P work at the IETF. > > > > Regards, > > Pierre > > > > -----Message d'origine----- > De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] De la part > de mohamed.boucadair@orange-ftgroup.com > Envoyé : lundi 1 mars 2010 11:36 > À : dthaler@microsoft.com > Cc : shara@ietf.org > Objet : [shara] draft-thaler-port-restricted-ip-issues: Host > ImplementationIssues > > > Dear Dave, > > In your draft, you wrote: "To actually apply a port restriction, host > stack implementations > would need to change. Without such a change, a host may naturally > attempt to use the IP address with arbitrary protocols and ports, > which would be akin to address spoofing in a port-restricted IP > address model." > > For fixed networks, several scenarios for the deployment of port > restriction may be considered. Host-based model is one flavour among > others. > > For the CPE-based model, port-restriction features are not required to > be supported by the hosts behind the CPE since port-restriction are to > be enforced in the CPE: No changes are required for the hosts in such > scenario. > > For the host-based model (e.g., mobile networks), I agree that port- > restriction feature is required to be supported by the host. Some > modifications are needed (FYI, port-restriction feature may be > activated by entering two IPTABLES lines in Linux-based Oses.). These > modifications are to be positioned against expected gains such as: > > - Battery consumption for mobile devices because keepalive messages to > maintain NAT entries are avoided (in NAT-based solutions, "Always-on" > services would impact severely the battery consumption. Not to mention > several layers of keepalive messages: e.g., IPsec, SIP ) > - No need to embed ALG in intermediary nodes. > - No need to embed NAT traversal technique in the host > - No latency due to retrieving the perceived IPv4 public address (to be > assigned by the NAT) > - Session tracking issues: It is not required to maintain per-session > tracking information (legal requirement) > - Etc. > > Cheers, > Med > > ********************************* > This message and any attachments (the "message") are confidential and > intended solely for the addressees. > Any unauthorised use or dissemination is prohibited. > Messages are susceptible to alteration. > France Telecom Group shall not be liable for the message if altered, > changed or falsified. > If you are not the intended addressee of this message, please cancel it > immediately and inform the sender. > ******************************** > > _______________________________________________ > shara mailing list > shara@ietf.org > https://www.ietf.org/mailman/listinfo/shara > > ********************************* > This message and any attachments (the "message") are confidential and > intended solely for the addressees. > Any unauthorised use or dissemination is prohibited. > Messages are susceptible to alteration. > France Telecom Group shall not be liable for the message if altered, > changed or falsified. > If you are not the intended addressee of this message, please cancel it > immediately and inform the sender. > ******************************** >
- [shara] draft-thaler-port-restricted-ip-issues: H… mohamed.boucadair
- Re: [shara] draft-thaler-port-restricted-ip-issue… Masataka Ohta
- Re: [shara] draft-thaler-port-restricted-ip-issue… pierre.levis
- Re: [shara] draft-thaler-port-restricted-ip-issue… Dave Thaler
- Re: [shara] draft-thaler-port-restricted-ip-issue… pierre.levis
- Re: [shara] draft-thaler-port-restricted-ip-issue… Masataka Ohta
- Re: [shara] draft-thaler-port-restricted-ip-issue… mohamed.boucadair
- Re: [shara] draft-thaler-port-restricted-ip-issue… Dave Thaler
- Re: [shara] draft-thaler-port-restricted-ip-issue… mohamed.boucadair