IETF Logo Mail Archive

Re: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Wed, 03 March 2010 09:39 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 854D528C0D7 for <shara@core3.amsl.com>; Wed, 3 Mar 2010 01:39:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.413
X-Spam-Level:
X-Spam-Status: No, score=0.413 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KXejoyNabJo for <shara@core3.amsl.com>; Wed, 3 Mar 2010 01:39:44 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id BFCE13A8A4F for <shara@ietf.org>; Wed, 3 Mar 2010 01:39:43 -0800 (PST)
Received: (qmail 34391 invoked from network); 3 Mar 2010 10:44:35 -0000
Received: from softbank219001188004.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.1.188.4) by necom830.hpcl.titech.ac.jp with SMTP; 3 Mar 2010 10:44:35 -0000
Message-ID: <4B8E2E44.1070504@necom830.hpcl.titech.ac.jp>
Date: Wed, 03 Mar 2010 18:39:16 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: pierre.levis@orange-ftgroup.com
References: <4233_1267439756_4B8B988C_4233_6698_1_94C682931C08B048B7A8645303FDC9F30EFAFF530F@PUEXCB1B.nanterre.francetelecom.fr> <22201_1267512105_4B8CB329_22201_305989_1_F1A741D65FFEF6489D607B26ABA0ED5701A5DA81@ftrdmel0.rd.francetelecom.fr> <9B57C850BB53634CACEC56EF4853FF65138ECE7C@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com> <25638_1267603224_4B8E1718_25638_2380_1_F1A741D65FFEF6489D607B26ABA0ED5701A5E512@ftrdmel0.rd.francetelecom.fr>
In-Reply-To: <25638_1267603224_4B8E1718_25638_2380_1_F1A741D65FFEF6489D607B26ABA0ED5701A5E512@ftrdmel0.rd.francetelecom.fr>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: shara@ietf.org
Subject: Re: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 09:39:45 -0000

pierre.levis@orange-ftgroup.com wrote:

> That's right, these are issues to tackle when considering a CPE-only A+P architecture deployment.

Wrong.

Section 4 of the draft merely says port restricted IP (including
leagacy NAT) restricts port, which is no new.

Sections 5 is simply wrong w.r.t. ICMP. Ping (command on a PR-IP
end host is slightly modified, which is part of stack change) is
working from PR-IP/IP to PR-IP/IP, without changing IP/ICMP layer.

Rest of the section is on management issue if static port
assignment is used with port restricted IP (including
leagacy static NAT), which is no new. You can avoid them
if fully dynamic PR-IP is used, of course.

> My conclusion, I guess, remains valid; 
> "brings no objection to continue the A+P work" does not mean "brings no issues relevant to A+P" 

No. The conclusion is, PR-IP works as good as leagacy NAT and some
form of PR-IP is better than leagacy NAT.

						Masataka Ohta
> Pierre
> 
> 
> -----Message d'origine-----
> De : Dave Thaler [mailto:dthaler@microsoft.com] 
> Envoy? : mardi 2 mars 2010 18:09
> ? : LEVIS Pierre RD-BIZZ-CAE; shara@ietf.org
> Cc : BOUCADAIR Mohamed NCPI-NAD-TIP
> Objet : RE: [shara] draft-thaler-port-restricted-ip-issues: Host ImplementationIssues
> 
> See also the second paragraph of section 4.
> Other sections (5, 6) also apply to a CPE-only model.
> So it is incorrect to say that this draft raises no issues 
> with such a model.
> 
> Classic NAT != the CPE model here.
> 
> -Dave
> 
> 
>>-----Original Message-----
>>From: pierre.levis@orange-ftgroup.com [mailto:pierre.levis@orange-
>>ftgroup.com]
>>Sent: Monday, March 01, 2010 10:42 PM
>>To: Dave Thaler; shara@ietf.org
>>Cc: mohamed.boucadair@orange-ftgroup.com
>>Subject: RE: [shara] draft-thaler-port-restricted-ip-issues: Host
>>ImplementationIssues
>>
>>Hi all,
>>
>>I'd like to refocus I-D.thaler-port-restricted-ip-issues on the subject
>>that was discussed in Hiroshima during the aplusp BoF.
>>
>>Dave's draft is exclusively focussed on A+P directly applied to hosts,
>>as clearly stated in the abstract:
>>"This document discusses issues with assigning an IP address to a host
>>interface such that the IP address may only be used with a restricted
>>set of ports."
>>
>>Dave explicitly concludes that other A+P approaches (A+P in CPEs is the
>>dominant one), are not covered by these issues:
>>"The primary cause of the issues unique to port-restricted IP addresses
>>comes from assigning such an address to
>>a device's interface.  This concept does not occur in classic NAT.
>>...
>>It is possible that the same state benefits motivating the concept of
>>port-
>>restricted IP addresses may be possible in other approaches that do
>>not involve assigning a port-restricted IP address to an interface,
>>but this investigation is left to other documents"
>>
>>If you go back to the introductory slides of the aplusp BoF, it is also
>>clear that A+P directly in hosts was out of the scope:
>>"Host-based A+P brings additional complexity" in slide 5 of 01-
>>agenda.ppt
>>
>>
>>So, from the strict aplusp BoF point of view, this draft brings no
>>objection on continuing the A+P work at the IETF.
>>
>>
>>
>>Regards,
>>
>>Pierre
>>
>>
>>
>>-----Message d'origine-----
>>De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] De la part
>>de mohamed.boucadair@orange-ftgroup.com
>>Envoy? : lundi 1 mars 2010 11:36
>>? : dthaler@microsoft.com
>>Cc : shara@ietf.org
>>Objet : [shara] draft-thaler-port-restricted-ip-issues: Host
>>ImplementationIssues
>>
>>
>>Dear Dave,
>>
>>In your draft, you wrote: "To actually apply a port restriction, host
>>stack implementations
>>   would need to change.  Without such a change, a host may naturally
>>   attempt to use the IP address with arbitrary protocols and ports,
>>   which would be akin to address spoofing in a port-restricted IP
>>   address model."
>>
>>For fixed networks, several scenarios for the deployment of port
>>restriction may be considered. Host-based model is one flavour among
>>others.
>>
>>For the CPE-based model, port-restriction features are not required to
>>be supported by the hosts behind the CPE since port-restriction are to
>>be enforced in the CPE: No changes are required for the hosts in such
>>scenario.
>>
>>For the host-based model (e.g., mobile networks), I agree that port-
>>restriction feature is required to be supported by the host. Some
>>modifications are needed (FYI, port-restriction feature may be
>>activated by entering two IPTABLES lines in Linux-based Oses.). These
>>modifications are to be positioned against expected gains such as:
>>
>>- Battery consumption for mobile devices because keepalive messages to
>>maintain NAT entries are avoided (in NAT-based solutions, "Always-on"
>>services would impact severely the battery consumption. Not to mention
>>several layers of keepalive messages: e.g., IPsec, SIP )
>>- No need to embed ALG in intermediary nodes.
>>- No need to embed NAT traversal technique in the host
>>- No latency due to retrieving the perceived IPv4 public address (to be
>>assigned by the NAT)
>>- Session tracking issues: It is not required to maintain per-session
>>tracking information (legal requirement)
>>- Etc.
>>
>>Cheers,
>>Med
>>
>>*********************************
>>This message and any attachments (the "message") are confidential and
>>intended solely for the addressees.
>>Any unauthorised use or dissemination is prohibited.
>>Messages are susceptible to alteration.
>>France Telecom Group shall not be liable for the message if altered,
>>changed or falsified.
>>If you are not the intended addressee of this message, please cancel it
>>immediately and inform the sender.
>>********************************
>>
>>_______________________________________________
>>shara mailing list
>>shara@ietf.org
>>https://www.ietf.org/mailman/listinfo/shara
>>
>>*********************************
>>This message and any attachments (the "message") are confidential and
>>intended solely for the addressees.
>>Any unauthorised use or dissemination is prohibited.
>>Messages are susceptible to alteration.
>>France Telecom Group shall not be liable for the message if altered,
>>changed or falsified.
>>If you are not the intended addressee of this message, please cancel it
>>immediately and inform the sender.
>>********************************
>>
> 
> 
> 
> *********************************
> This message and any attachments (the "message") are confidential and intended solely for the addressees. 
> Any unauthorised use or dissemination is prohibited.
> Messages are susceptible to alteration. 
> France Telecom Group shall not be liable for the message if altered, changed or falsified.
> If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
> ********************************
> 
> _______________________________________________
> shara mailing list
> shara@ietf.org
> https://www.ietf.org/mailman/listinfo/shara
> 
>

v2.23.0 | Report a Bug | By Email