[Spud] Types of flow pattern and NAT impact?
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 26 March 2015 19:55 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id ED32E1B2B87
for <spud@ietfa.amsl.com>; Thu, 26 Mar 2015 12:55:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001]
autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wLHwDueI-OyH for <spud@ietfa.amsl.com>;
Thu, 26 Mar 2015 12:55:44 -0700 (PDT)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com
[IPv6:2a00:1450:4010:c03::22b])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 97B361A00E0
for <Spud@ietf.org>; Thu, 26 Mar 2015 12:55:40 -0700 (PDT)
Received: by lagg8 with SMTP id g8so54465645lag.1
for <Spud@ietf.org>; Thu, 26 Mar 2015 12:55:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:sender:date:message-id:subject:from:to:content-type;
bh=Y7OjdbdNP+j5+9qYHihZi3MB6x35OrxFb5ZW64ea64A=;
b=drsTLrgsJbno94F8zNt4/odOeRsUbAFt6pKfeBiTNYlR4WO9dD5odBFS0QstOYzrXn
z0wzdW7lCcqCvR5s0h2Y8z2tLl2Z7uh1kLPO7hP8WgElFSAzK1xXPIK74fCuK7vRFKCT
0YrOC3g4DlwdXJVyrI/Um5lBSRKKedJSnyOv60nKksOdP0s9kvjJKGUrsvrI9iJb3ID4
XRBJyab//Msl3e+NIi0TlKAI5ka4QH84th+Ohrc2lQeaktUUYMTwF01wZXLbnFrOPwFQ
Moc718IhlLwbK2VVVnr/qm3hvcXOxAQ2w1Ox6za5Tg/IHphTqnL35Jdkc72+ZytwQogu
dA5w==
MIME-Version: 1.0
X-Received: by 10.152.4.136 with SMTP id k8mr14790798lak.103.1427399739040;
Thu, 26 Mar 2015 12:55:39 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.45.203 with HTTP; Thu, 26 Mar 2015 12:55:38 -0700 (PDT)
Date: Thu, 26 Mar 2015 14:55:38 -0500
X-Google-Sender-Auth: 0WzGHIG5r9cw3LeWuLVfvX2Py9U
Message-ID: <CAMm+Lwh6dEiB1HPrbnJASR7O6DWPh1UQTUADTaeZ5bGOZYi07w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Spud@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/Ax2Y758FmsHLdCkmDh-JCtXvrSs>
Subject: [Spud] Types of flow pattern and NAT impact?
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 19:55:45 -0000
Different applications have different flow patterns and the differences make a difference when it comes to a middlebox deciding when to tear down a NAT association or the endpoints are striving to keep it open. I think it is useful to enumerate the various flow patterns and to take into account that these are typically directed. In the home network we have 1-150 IP addresses on one side and one IP address on the other. In the enterprise or 'carrier grade NAT' setting we have a larger pool of IP addresses that are being mapped to, but the choice of address within a pool is typically random. While it is possible to use multiple layers of NAT and even NAT that does not involve Internet addresses at all, I find it easiest to get my head round a problem thinking in terms of a 'local' network and the 'remote' and to focus on the NAT box on the local side. For many interesting cases (peer to peer voip, audio, etc) we will have NAT boxen on both sides of course. There are two basic cases: 1) The communication session is initiated by the local party 2) The communication session is initiated by the remote party The second case requires some form of Port Control (e.g. RFC6887) which is an explicit interaction with the local NAT (or else how does the first packet know where to go?). But this does not mean that there is no SPUD implication as SPUD traffic might well be an implicit keep alive on the port control. For message types, I see an important distinction between idempotent and statefull sessions. There are some protocols where UDP is used to effect a stateless interaction with one server from a pool, which server is chosen does not matter. The main use for an idempotent UDP interaction is of course DNS. But fast idempotent protocol is useful in many other circumstances: OCSP lookup, Peer-to-peer discovery, content routing, certificate directories, key servers etc. etc. The DNS protocol limits transactions to a single request and a single response. Fitting a request into one UDP packet is much easier than fitting a response into one packet. So an idempotent UDP transaction might consist of one request packet followed by 0-16 (say) response packets. There is obviously a limit to the number of packets that can be returned without some sort of mechanism to detect and retransmit dropped packets which will require state. And obviously in the modern internet, any stateless service that requires any significant effort and does not authenticate requests is going to result in wailing and gnashing of teeth as it gets DoSed or used as an attack proxy. For stateful flows we can have one tube or many. But is that something the NAT box needs to know about? If not, I want the data in my encrypted payload.
- [Spud] Types of flow pattern and NAT impact? Phillip Hallam-Baker