IETF Logo Mail Archive

Re: [tae] [tsv-area] Transport negotiation

james woodyatt <jhw@apple.com> Wed, 10 December 2008 23:17 UTC

Return-Path: <tae-bounces@ietf.org>
X-Original-To: tae-archive@ietf.org
Delivered-To: ietfarch-tae-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CB0028C1B6; Wed, 10 Dec 2008 15:17:38 -0800 (PST)
X-Original-To: tae@core3.amsl.com
Delivered-To: tae@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE9DD3A69EB; Wed, 10 Dec 2008 15:17:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.43
X-Spam-Level:
X-Spam-Status: No, score=-106.43 tagged_above=-999 required=5 tests=[AWL=0.169, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8Ie-nnBgsaW; Wed, 10 Dec 2008 15:17:36 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 247363A69E7; Wed, 10 Dec 2008 15:17:36 -0800 (PST)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id 85FA44A1C123; Wed, 10 Dec 2008 15:17:30 -0800 (PST)
Received: from relay13.apple.com (unknown [127.0.0.1]) by relay13.apple.com (Symantec Brightmail Gateway) with ESMTP id 6CBC62809F; Wed, 10 Dec 2008 15:17:30 -0800 (PST)
X-AuditID: 1180711d-a6821bb000000ff0-c2-49404e0ab895
Received: from il0602b-dhcp84.apple.com (il0602b-dhcp84.apple.com [17.206.24.84]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay13.apple.com (Apple SCV relay) with ESMTP id 3F84C28092; Wed, 10 Dec 2008 15:17:30 -0800 (PST)
Message-Id: <00AE4990-0003-4827-812A-64A8FE624FB7@apple.com>
From: james woodyatt <jhw@apple.com>
To: tae@ietf.org, tsv-area@ietf.org
In-Reply-To: <49403EB0.7050200@isi.edu>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Wed, 10 Dec 2008 15:17:30 -0800
References: <3BB334D8-B00C-48C1-ACBF-4D09576DEADF@mpi-sws.org> <492C7F97.3030000@isi.edu> <EDCC4CF2-DC3C-409F-8F99-3BE51BAE4111@surrey.ac.uk> <492DE8AD.1090300@isi.edu> <7DA33930-1767-492B-807E-7A7DA661AFE9@apple.com> <5AE49824-74B1-4ABE-BBD4-7DEAFA348245@apple.com> <3F1AB633-7E17-47C4-B126-D8D872B552C5@apple.com> <0191F3F9-CC3D-4925-90BC-15BC966FE012@apple.com> <78ACC2CD-C6E6-46A3-B198-0C0284917E94@apple.com> <494002AB.6080605@isi.edu> <9CF98731-3A97-4056-AF33-64FC43E363CC@apple.com> <49403EB0.7050200@isi.edu>
X-Mailer: Apple Mail (2.929.2)
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [tae] [tsv-area] Transport negotiation
X-BeenThere: tae@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Architecture Evolution <tae.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tae>, <mailto:tae-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/tae>
List-Post: <mailto:tae@ietf.org>
List-Help: <mailto:tae-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tae>, <mailto:tae-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: tae-bounces@ietf.org
Errors-To: tae-bounces@ietf.org

On Dec 10, 2008, at 14:12, Joe Touch wrote:
>
> AFAICT, the demultiplexing is really:
>
> 	3) IPaddr, [transportproto, port]


Actually, the rules a port-muxing NAT must enforce at demuxing time  
are always dependent first on the transport protocol.  After that, the  
rules get murky.

For example, in the case of TCP, the translated destination is a  
function of the entire 4-tuple of remaining address parameters, i.e.  
source address, source port, destination address, destination port.

On the other hand, in the case of UDP, the translated destination can  
be the result of any of three different functions involving the 2- 
tuple of the destination address and destination port, the source  
address and the source port, according to the UDP endpoint mapping  
behavior of the NAT function in play.  (Incidentally, a similar  
explosion of possibility arises for TCP when considering unsolicited  
inbound SYN packets received at destination address and destination  
port pairs already in use by another connection state, i.e. it's  
according to the TCP endpoint mapping behavior of the NAT function.)

Likewise, other transport protocols, e.g. IPsec ESP, don't even have  
source and destination ports, and also some, e.g. SCTP, use an  
association identifier with the destination address and they don't  
translate the source or destination ports at all.

It's messy, but if we're going to end our anti-NAT jihad, then I'm  
looking forward to seeing proposals for ways we can simplify all  
this.  Hopefully, those proposals will be ones that won't get shot to  
pieces in the everlasting battles over security vs. transparency for  
which IETF has been the battleground since forever.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering


_______________________________________________
tae mailing list
tae@ietf.org
https://www.ietf.org/mailman/listinfo/tae

v2.8.7 | Report a Bug | By Email