Re: [tsvwg] Alternative proposal for nat support of SCTP
Claudio Porfiri <claudio.porfiri@ericsson.com> Thu, 20 May 2021 12:55 UTC
Return-Path: <claudio.porfiri@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D6ED3A1600; Thu, 20 May 2021 05:55:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuC9tUJpeZhq; Thu, 20 May 2021 05:55:24 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2070.outbound.protection.outlook.com [40.107.20.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D6D13A15FA; Thu, 20 May 2021 05:55:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e8n3A1vZ5vk3yJRztYoQCMg4Po5pOCpWGfi/gYu73yXa20PIP+Hy9f9/tYQ2mb0SqhU5eWIvn7DLRcIvXYcuoFczPfu3an4Beb7HioUxo7bk/X3AtQV1py9uuotlemHqQj62QWiUIHMlATca9feWkerz0UAPCtCPNCngIOEZPyobxfkLSYih3y3PSfcEXiLnO+ERnBRHbvAyn6Sa2v1qAEL9tRj11H7Ccs7vxkLwd+04i/AOZKH+hjHlycA9Wrm6+kAJjGSqjVxDD0i3/NPEkvSrPlrpQeJJ5odsDOhjd1AFEsvP/1rsAxkok52U5YwDRvvfztjUDNUIcWgEgX24iQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x8BdEQN9R7WWXYIriZnSCSBQszEGG3mCkg7VsZ+AsXc=; b=eUra4LmdzkjpVK/ajbKRt/DUDTQAx8y/8bFyL2tT3XkV+j56bqed9z6p8boK6hDQX4+riDHUPnULYo2INveCzoFAb1PnlQPc+35CL6xKQKqts+Sjk2yPHcay4RbAmkomlu/+LswFkbgzKk5zcZ2mjwfGE7vrP9lI9v2enJrnfd6ogi81sAxI9izJm9R5wCKcpT1ZHoMvzztuLmhan536ZQxI2TLEOSFEW93YvRaLu5DlkgEx8eEF9DNTQgzulcnLh5OcmLMw2efWgGM8fM12QFgR8qn13x206KH10QpYoHFez150iE/JZvtbxFOQTAgWdaa6YqBZ1OVApyONSqbuqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x8BdEQN9R7WWXYIriZnSCSBQszEGG3mCkg7VsZ+AsXc=; b=OXqTD8dIDHTJw8+0zeV9mCpC1J3+jhtoCXCb/NiTWWrBbZhyDbOF1VvsjhOQxsnsQ6/g3b0bhkHNaJDkxBtfY08NK/q1deXIkQoh/IltRKFanaIKr/9ze3S5u5b4CGQ085MOw8mRWpkCClSl3/p6xqdrISl0Nbbqn0mwtpBoz9I=
Received: from AM0PR07MB4066.eurprd07.prod.outlook.com (2603:10a6:208:4d::18) by AM0PR07MB5650.eurprd07.prod.outlook.com (2603:10a6:208:113::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.11; Thu, 20 May 2021 12:55:19 +0000
Received: from AM0PR07MB4066.eurprd07.prod.outlook.com ([fe80::f155:daca:1b59:fe26]) by AM0PR07MB4066.eurprd07.prod.outlook.com ([fe80::f155:daca:1b59:fe26%7]) with mapi id 15.20.4129.032; Thu, 20 May 2021 12:55:19 +0000
From: Claudio Porfiri <claudio.porfiri@ericsson.com>
To: "michael.tuexen@lurchi.franken.de" <michael.tuexen@lurchi.franken.de>
CC: "draft-ietf-tsvwg-natsupp.all@ietf.org" <draft-ietf-tsvwg-natsupp.all@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] Alternative proposal for nat support of SCTP
Thread-Index: Adc3O53JXqFzGUF0RIqHjSs0CCQliAByHd6AAIw5PlABPzdpgABR55MwAD9Kx4AAxYqA4AAUh86AABbbpaAAAG4pAAHOwN5g
Date: Thu, 20 May 2021 12:55:19 +0000
Message-ID: <AM0PR07MB406688A70A2E7FEB6BB3ADDD872A9@AM0PR07MB4066.eurprd07.prod.outlook.com>
References: <AM0PR07MB40660A7662F8D256CFFA40AE87469@AM0PR07MB4066.eurprd07.prod.outlook.com> <03142829-58F8-4276-96DD-CCA0CF782737@lurchi.franken.de> <AM0PR07MB4066C88C1BAD97CF978F629987419@AM0PR07MB4066.eurprd07.prod.outlook.com> <45699343-71CC-4B63-B959-22E0313C6405@lurchi.franken.de> <AM0PR07MB4066ACAAD73E0D4542210A5187599@AM0PR07MB4066.eurprd07.prod.outlook.com> <A8D24D3D-4EEB-4193-A0C1-3EF7E053710D@lurchi.franken.de> <AM0PR07MB4066624FF45610249753FFE787549@AM0PR07MB4066.eurprd07.prod.outlook.com> <D357776E-26A4-40A7-8F8D-AEACAA768693@lurchi.franken.de> <AM0PR07MB4066214C715747B0637C6C6887539@AM0PR07MB4066.eurprd07.prod.outlook.com> <C05D3A04-105A-4C98-937A-0C181D35392E@lurchi.franken.de>
In-Reply-To: <C05D3A04-105A-4C98-937A-0C181D35392E@lurchi.franken.de>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: lurchi.franken.de; dkim=none (message not signed) header.d=none;lurchi.franken.de; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.151.178.155]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c4e1268-dc46-4cd4-5d54-08d91b8e8602
x-ms-traffictypediagnostic: AM0PR07MB5650:
x-microsoft-antispam-prvs: <AM0PR07MB5650078A308A06651C3FF13B872A9@AM0PR07MB5650.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2331;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5qqBoPA773Ku+w9q6YiRvVbIhVCoz1xgMU9g+K0e1zFMjOSpOtpA4gvpLY1QkQ2fGeOSajUT45ToBoAzSxNlnMQaj7gnd9oym5jpOKMzdwPdzGuMyOei6D1+wMY/yups+uy5cWtVaW1AS7WGkmIVYabrehku+ocHBiEhdWA3xssJmnPYLw4Rdn2249cFJf6iO2ldJ0mln/WdlaW/Thko2iq+dzWe4vrDspb19+GMA9mVZ5mxj4ecKwPiUn2tFiLm9c6FawzCRn/v91ki50plboYqRMygWTQissMZfSC+EQUNpXpsmXfyPWha1QUY0qy9a5MlJAsjL5oLn5vchqwrQDl1RPCTIxDj/86oY51EL9/GTHyGdu2kpVJwJm2QxJ1P8qxGYAt6Byc1oMakgpOW5J8zwXG/hFAcm12B4lN9Yj0Ql9TCZqBb5N2FPPg4AtkXZBReVQthyiIriqhiY2/VrOzMZsiyMc9i680BNlh+53i0DwcjM0kuGDTy7tW+LuUD7KvrfmWwswGEVAYnRgYdg5can3R9NvZ3U8xwIiGKA47fUBU/fIsj0j8aCPHDlaScx4QPaOkKJ4TPRn7a/TD5NvAWESVRyp9ndFXzJderTFYAouWXW+7CCdPzkYRKDXZoa+ba0Iu3QSNsCO0LZrhHXAEWomd6vAmmlpLVMM5gVwO7k7b0dz8WKFCq1Et+ygwrMRz+DQlArFFLWRTqbPRckQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB4066.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(346002)(136003)(39860400002)(396003)(76116006)(8676002)(316002)(53546011)(66476007)(66946007)(6506007)(966005)(66616009)(44832011)(5660300002)(478600001)(71200400001)(38100700002)(30864003)(54906003)(64756008)(66556008)(122000001)(55016002)(186003)(99936003)(9686003)(66574015)(45080400002)(83380400001)(52536014)(86362001)(8936002)(66446008)(4326008)(7696005)(6916009)(2906002)(26005)(15974865002)(33656002)(579004)(559001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: GHll0ydg1NUfrfkRC19uNtoZAILo2ScLczQSPH/peLuy7JqmBP2frUtjZ31WO+bz1ec+mcavlwJWqV/zIAK7P/aAqYUFmMZyC3wEe3EXdpx8zWyH0yQHAJvfGUh4LEOQmzTY+wyF30eF089xn3ht0E8KYfGZU4AoEXJFxCDqqbf5uefB9B2mPsIgV8TkESMfi1fsa66EkOKg4raLb8vmhEw2lj34qJg41loHBTi3FXnUReNWsCXS86FeIt665hVKnewG57rc6e1bMGrmIEDgBMyengUZrD2b1KNdg1iQ+SgAhwt9yMRULn4ugoNAadK4lw7olABWOlSw4jJ/7nf5H/ncgLBpPURd7/gKHoHQMCAmGHHpVxLT+vz4aHJx7hzLy2IaYzKUWW32g/2PRcN35AGGR0dv+y5eKrW+XCM6oGoSEG0S5KdSHtDJ898Q9ppAyWztFSHQro1NWMHotBksi06oLOQNXSwew1juuqehVK6Iyv7ae/dRHWmm8MFk4zXJpPqytbC40+omApqRcQUALym71lScG3sSx9jgLV1G66qC51eV0PgkI4ZKwz1hLnu572hFddGZawchAHYVy+UzgPh5thwWT6OhJ52+c3LXnwzXYl+LHbE2eJ2o6u40omVqpP9AnG5zgJpBiS4nYE3Kqu2+hgcdatUa7IF7nMSEw4wFONXQng+MFT3WkVT5UOMIyF0zo9hHQ+tD3BfMNIWyPf9KyoJ1rIGmMw2T/6+kcVv52CpMix0kA2Kq7A8Pj8jnClQGlPUN1fuvd3ICyR/6QR3mlCLuhkVpcGiW6lfFzGcH6+FCPinvmw3e2nOh4AtDA7ELuDgk1hOKYYWS00reOJJyZirexJ/JAYjebNtfTFi2bkHd6rjdTT1bt96gFEnxm9ooXB1rNbwlkA/ebP/PIreSGEnjgCu1LzvIcteUN9LU0Lsm9mtQPtJOsAU+L6uDYeHPCqgcp6rOwuMkpALwZJxz5w/3paI1CDff9C9KNrqhfJ23ZR0gIOA8Z4/4DfzRypG7KCFu/Nw9ef1oxbVpUSJ+nasnY3msW0F1utOk7KDeSbzXpLLGSROYFbXvb5S3AgltupvGhZxrYU+vgU06n02cBG0v3QMX4SwpG77VkbnMZN7RqSwpI7HDpYYKA/+h6uvwClXzcN6Y3FfC58eFQRxOwvVBzCX4vJieol+13bTJrcO89Zi18IWAIP4bd96piIfUKlNMjkgS3GaY2mXhkgAXRKtlsMNDlN6S0iNbr4/3tbEDMYwDhNOiTztVJYto6IBuNPSLCrPIopyYcxGfugeQgAbfkAsnyx3hr00wablGPxHMjIjoGH2ofWcngIg1
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01B0_01D74D88.263A1270"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB4066.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c4e1268-dc46-4cd4-5d54-08d91b8e8602
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2021 12:55:19.6584 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Qa9K/dRBsO7FKlKZRLA9/AywtSDI/OBLh8D9yUxArOCsXNS/eAr+Sk4j7+a2MhppD7TJLsYpX/MF1wzLb8UOnNDGO3Qcds7LRIiq+zn+YP4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5650
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/5yqq0NXb-zZxOdd4-_8o0f2r7JE>
Subject: Re: [tsvwg] Alternative proposal for nat support of SCTP
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 12:55:31 -0000
Hi Michael, I have done some homework and prepared some material here https://github.com/teiclap/NAT based on your previous work. It's still preliminary as it doesn't contain the examples and I have removed all the Yang stuffs. Please let me know if it's inline with the expectations. Thanks, Claudio. -----Original Message----- From: Michael Tuexen <michael.tuexen@lurchi.franken.de> Sent: Tuesday, May 11, 2021 10:03 AM To: Claudio Porfiri <claudio.porfiri@ericsson.com> Cc: draft-ietf-tsvwg-natsupp.all@ietf.org; tsvwg@ietf.org Subject: Re: [tsvwg] Alternative proposal for nat support of SCTP > On 11. May 2021, at 09:57, Claudio Porfiri <claudio.porfiri@ericsson.com> wrote: > > Hi Michael, > I think your way forward is reasonable. > Shall you share the source of the current draft, so that I can easily reuse the structure? Sure: https://protect2.fireeye.com/v1/url?k=4d556e15-12ce5710-4d552e8e-86d2114eab2f-4dc25852481081fb&q=1&e =5cd18f46-694d-4e1e-b06d-5908e21321f8&u=https%3A%2F%2Fgithub.com%2Fsctplab%2FNAT Let me know if you have any problems. Best regards Michael > > Thanks, > Claudio. > > > -----Original Message----- > From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de> > Sent: Monday, May 10, 2021 10:56 PM > To: Claudio Porfiri <claudio.porfiri@ericsson.com> > Cc: draft-ietf-tsvwg-natsupp.all@ietf.org; tsvwg@ietf.org > Subject: Re: [tsvwg] Alternative proposal for nat support of SCTP > >> On 10. May 2021, at 13:22, Claudio Porfiri <claudio.porfiri@ericsson.com> wrote: >> >> Hi Michael, > Hi Claudio, >> about the application involvement, I agree with your points. >> You have stated things in a very clear way. >> On the need for NAT to act towards the endpoint, I don't have objections towards ABORT. >> The related extensions can be copied from the current draft. >> Also about the need to use ASCONF and the reasons behind that I agree with you, it makes things > much >> easier. > I think we are in agreement here. >> >> Do you think I can rewrite my proposal based on those observation? > Yes, I think so. >> Do you think the structure of the proposal is a good way of presenting it? > Let me make a suggestion and let me know what you think about it. > > * I'll update the NAT document to address the comments of Magnus and Martin. This will > improve the document. > * You'll create a separate ID describing the vtag free way of doing NAT. You refer as > much as possible to the existing document and use the same structure. Your document > doesn't need to be perfect. Just good enough to have the way of doing NAT written > down, such that we can discuss and improve it. Especially the multihoming case is > not yet clear to me. > > Once we have both documents on the table, we can see if we can merge them (since you > used the same structure, it should be relatively easy to integrate it) or if the > WG decides to move forward with only one of the ways doing NAT. In case it is the > solution you propose, you can then copy over the text you were referring to initially. > That should also be relatively straight forward, since you used the same structure > of the document. >> I was thinking about the idea that, since the basic concept are similar and the main difference is >> whether the NAT take care of parsing chunks and keep the Association state in the legacy and the >> timer-based no-parsing proposal, if it's worth to combine both proposal into a single one where > SCTP >> is compatible with both and the NAT implementor can choose if implementing my proposal as a > subset. >> I am not 100% sure that compatibility is possible, but it seems to me that they are not diverging. > Right now, I don't know how easy it is to combine the both methods. I guess, once both are written > down, it is much simpler to decide it. > > The above is a suggestion on how to move forward. Please let me know what you think about it, > > Best regards > Michael >> >> Best regards, >> Claudio. >> >> >> -----Original Message----- >> From: Michael Tuexen <michael.tuexen@lurchi.franken.de> >> Sent: Thursday, May 6, 2021 2:52 PM >> To: Claudio Porfiri <claudio.porfiri@ericsson.com> >> Cc: draft-ietf-tsvwg-natsupp.all@ietf.org; tsvwg@ietf.org >> Subject: Re: [tsvwg] Alternative proposal for nat support of SCTP >> >> Hi Claudio, >> >> see my comments in-line. >> >> Best regards >> Michael >> >>> On 5. May 2021, at 09:40, Claudio Porfiri <claudio.porfiri=40ericsson.com@dmarc.ietf.org> wrote: >>> >>> Hi Michael, >>> thanks again for your comments. >>> I think you are pointing the finger towards the weaknesses of the approach, actually there's room >>> for improvement. >>> I try to list those here: >>> - The application needs to be involved. It's up to the application the decision whether adopting >> an >>> ephemeral endpoint for the Association where port number is not important. This may or may not be >>> demanded to SCTP via socket API, in such case socket needs to be adapted. If the decision is to >> add >>> the concept of ephemeral endpoint to SCTP, it may be SCTP that tries with different port numbers >>> during the Association instantiation attempts. >> I'm not sure if we have the same understanding, so for being crystal clear: >> >> (a) An application can request a specific local port number (in the socket API, using bind() with >> a non-zero port number), and in case of a local port number collision, the connection setup has >> to fail. I think we agree here. >> (b) An application leaves the local port number selection up to the SCTP stack (in the socket >> socket API by either calling bind() with a zero port number or not calling bind() at all before >> calling connect() or sendto(). However, once the port number is chosen, it can not be changed. >> So in case of a local port number collision, the association setup has to fail. It is up to >> the application to close() the socket and restart from the beginning. >> (c) An application leaves the local port number selection up to the SCTP stack (in the socket >> socket API by either calling bind() with a zero port number or not calling bind() at all before >> calling connect() or sendto(). In addition, it indicates the the SCTP can change the local >> port number over time (in the socket API this would be calling an IPPROTO_SCTP level >> new socket option). In this case, the SCTP stack can automatically retry a connection setup >> in case of an local port number collision. >> >> Whether it is easy to implement the rebinding in (c) is implementation specific. But it is >> important to say that (b) and (c) require some interaction of the application. >> Do we agree on this view? >>> - Time for establishing the Association can be really long. The option where NAT sends an ERROR > to >>> the SCTP Client when experiencing a port collision should be taken as SHOULD. The computational >> cost >>> added at NAT is reasonable as the SCTP Packet will be parsed only when VTAG == 0 in SCTP Common >>> Header. When the endpoint would receive the related ERROR, it will be propagated to the >> application >>> so that it may decide with another port. >> I agree that cooperation with the NAT functions can speed up things. I would suggest to use an > ABORT >> chunk, since the association will not be established without a port number change. If you use an >> ABORT, the local port number collision can be detected in a short time and and SCTP using (c) can >> react fast or an application doing (a) or (b) knows fast and can react. >> I guess on this point, both ways of doing NAT for SCTP are not that different. >>> - SCTP behavior when trying to create the Association. I agree that having the knowledge of the >>> public IP address at the endpoint can be difficult. The alternate way exploiting ASCONF as in the >>> current ID is preferred, but should the legacy behavior be prohibited? >> I'm not sure what you consider to be the 'legacy behaviour'. If you are referring to using IPv[46] >> address parameters in the INIT and INIT-ACK chunk, I would not consider it 'legacy' behaviour. It >> worked since RFC 2960 and will work in the future. So 'legacy' is not the right term. >> The crucial point here is that my understanding is that an SCTP end-point lists in the INIT or >> INIT-ACK >> chunk addresses this end-point owns, not arbitrary ones. >> https://www.ietf.org/archive/id/draft-ietf-tsvwg-rfc4960-bis-11.html#section-3.3.2.1.1 >> says that the IPv4 address parameter "Contains an IPv4 address of the sending endpoint." >> This is an address owned by the end-point, not owned by some NAT functions somewhere as observed >> by the peer. >> The whole dance with the ASCONF related procedures is done to deal with this case. And I don't >> see a way around this. >>> - The chance that an SCTP endpoint gets ABORT because the temporary configuration of one of the >> NATs >>> is causing a packet being forwarded to the wrong host in distributed endpoint case exists. >> Currently >>> rfc4960 doesn't discriminate ABORT requests, here I think we may improve it: when a multihomed >>> association exists and ABORT is received from one of the remote IP addresses but traffic is >> ongoing >>> from the other IP addresses, is it correct to abort the Association? Should a deeper analysis be >>> performed at the endpoint before aborting? >> I don't think so. The ABORT indicates that something is wrong and the communication should be >> stopped immediately. I think this is the right thing to do. >> >> The problem here is that some mechanism doesn't work right at some time and you want to change >> the rest to tolerate this mis-behaviour. I would prefer to make sure this mis-behaviour does not >> happen. Or when it happens, the ABORT procedure it the way to stop it from happening. >>> >>> Best regards, >>> Claudio. >>> >>> -----Original Message----- >>> From: Michael Tuexen <michael.tuexen@lurchi.franken.de> >>> Sent: Monday, May 3, 2021 5:35 PM >>> To: Claudio Porfiri <claudio.porfiri@ericsson.com> >>> Cc: draft-ietf-tsvwg-natsupp.all@ietf.org; tsvwg@ietf.org >>> Subject: Re: [tsvwg] Alternative proposal for nat support of SCTP >>> >>>> On 27. Apr 2021, at 13:14, Claudio Porfiri <claudio.porfiri=40ericsson.com@dmarc.ietf.org> > wrote: >>>> >>>> Hi Michael, >>>> thank you for the comments. >>>> I think there are some points that I have missed and that need some more work. >>>> I am assuming that there are two families of SCTP users, the ones that act and will always act > as >>> a >>>> client where the concept of SCTP Endpoint is not so strong, for those the source port number is >>> not >>>> really important as the user can use any; for those it should be possible to specify a parameter >>>> "ANY PORT" so that SCTP randomly selects a dynamic port as specified by rfc6335. The second >> family >>>> is tied to the SCTP Endpoint and shall use or be tied to well defined port numbers when acting > as >>>> client or server. >>> When using the socket API, where you can specify "ANY PORT" by using 0 as the local port number, >>> does mean that the transport layer selects a local port number once. Once it is chosen, it isn't >>> changed anymore. >>>> When a SCTP user belongs to the first family, SCTP may try itself different port numbers when >>>> experiencing rtx timeout when sending INIT or the user can retry after SCTP failure. >>> Yepp. An application would have to open a socket, try to to connect() and after a timeout (which >>> takes a long time) close the socket, create a new one and try again... Basically, the application >>> has to deal with local port number collisions and, in particular, has to tolerate long delays. >>> This is not required by the method described in the current ID. >>> >>> More comments in-line. >>> >>> Best regards >>> Michael >>>> >>>> On your comments, I have answered in-line. >>>> >>>> Regards, >>>> Claudio. >>>> >>>> -----Original Message----- >>>> From: Michael Tuexen <michael.tuexen@lurchi.franken.de> >>>> Sent: Saturday, April 24, 2021 2:20 PM >>>> To: Claudio Porfiri <claudio.porfiri@ericsson.com> >>>> Cc: draft-ietf-tsvwg-natsupp.all@ietf.org; tsvwg@ietf.org >>>> Subject: Re: [tsvwg] Alternative proposal for nat support of SCTP >>>> >>>>> On 22. Apr 2021, at 08:01, Claudio Porfiri <claudio.porfiri=40ericsson.com@dmarc.ietf.org> >> wrote: >>>>> >>>>> Dear all, >>>>> the AD Review to draft-ietf-tsvwg-natsupp-22 has shown some room for improvements. I'd wish to >>>>> propose an alternative approach for supporting SCTP in scenarios where NAT and Load Balancers >>>> exist. >>>>> Please consider my proposal as a way to enhance SCTP and reduce the complexity of previous >>>>> proposals. >>>> Hi Claudio, >>>> >>>> the authors of draft-ietf-tsvwg-natsupp-22 have never stated that the document describes the >>>> only way to do NAT for SCTP, but is describes one way. There are definitely other ways to do it >>>> with different pros and cons. >>>> >>>> Regarding your proposal, see my comments in-line. >>>> >>>> Best regards >>>> Michael >>>>> >>>>> With best regards, >>>>> Claudio Porfiri. >>>>> >>>>> >>>>> - Background >>>>> This proposal is an attempt to solve some of the issues raised in the review of the current >>>>> draft-ietf-tsvwg-natsupp-22. >>>>> It also deals with implementation of nodes that adopt SCTP as transport protocol in a Cloud >>>>> environment, mostly in containerized way, that exploit NAT for redundancy and scalability >>> reasons: >>>>> the SCTP Endpoint in those environment is ditributed among SCTP Hosts that expose the same Port >>>> but >>>>> from the network the SCTP Termination is seen as belonging to a single host. Often those >>>> distributed >>>>> SCTP Endpoints are multihomed. >>>>> A typical example is the AMF node in 5G networks, related to the NG-C interface, (3GPP TS >> 38.412, >>>> TS >>>>> 38.413), a similar case is the MME node in 4G network, related to the S1-MME interface (3GPP > TS >>>>> 36.412, TS 36.413). >>>>> >>>>> A NAT supporting SCTP must also be able taking care of simpler scenarios such as SCTP Clients >>>> behind >>>>> a NAT wishing to create Associations towards the same remote peer, even cases where multiple > NAT >>>>> exist and/or a transversal scenarios where independent NAT devices deal with the same >>> Associations >>>>> in single or multihomed cases. >>>>> The case where NAT implements port-forwarding also needs to be considered. >>>> I'm not sure what you mean by referring to 'port-forwarding'. If you refer to a way to add >>>> manually specific entries into the NAT binding table, then it is fine. But we haven't specified >>>> that. If you refer to a way to change port numbers of packets processed by the NAT function, >>>> then this is not covered by NAT variant described in draft-ietf-tsvwg-natsupp. >>>> [teiclap] Yes, port-forwarding is manually specifying entries in the NAT binding table. >>> OK, thanks for the clarification. This is also possible using the method described in the ID. >>>> >>>>> >>>>> >>>>> The scenario called Multipoint Traversal is possibly the most complex when distributed SCTP >>>>> Endpoint, this cannot be neglected in a SCTP NAT support solution. >>>>> >>>>> - Cornerstones of the proposal >>>>> As in draft-ietf-tsvwg-natsupp-22, the main requirement towards NAT is that handling of the > SCTP >>>>> ports is to be kept at the SCTP Endpoint, thus the NAT devices shall never change SCTP source > or >>>>> destination ports. In case of collision, it's the source SCTP Endpoints that will take the >>>> decision >>>>> about adopting a different source port. >>>> In my view an SCTP end-point can not change its local port number. It is a property of the >>>> end-point. >>>> Looking at the socket API (which is only informational, I understand this), you can't "re-bind" >> an >>>> end-point. You either call bind() explicitly once or it is called implicitly when you call >>> connect() >>>> or sendto(). >>>> So in your case you would have to fail the association setup in case of an internal port number >>>> collision. >>>> The question is if the probability of this failure is acceptable. My understanding is that NAPT >>> was >>>> introduced to deal with local port number collision, since it was considered too likely. That is >>> the >>>> whole reason why we introduced the method described in draft-ietf-tsvwg-natsupp. The 4-tupel >>>> consisting >>>> of both port numbers and port v-tags are used as a connection identifier. >>>> If failing SCTP association setups in case of local port number collisions is acceptable, then >> the >>>> methode described in draft-ietf-tsvwg-natsupp is not needed. >>>> [teiclap] By introducing the possibility to choose a different source port when INIT fails, I >> have >>>> introduced a sort of NAPT with the difference that SCTP is in full control of the port. I agree >> on >>>> the point that SCTP Endpoint cannot change the port number as the port number is part of the >>>> Endpoint definition. It would be a better description that an SCTP user can choose another SCTP >>>> Endpoint, limited to the kind of user itself. Whether is SCTP selecting alternative Endpoints or >>> the >>>> user to explicitly doing that or even SCTP supporting ephemeral Endpoints is worth to talk > about. >>> OK. This means we agree on it. Local port number collisions in your proposal require some action >>> by the application. I think the additional delay is also critical... >>>> >>>>> The NAT devices will only need to inspect the SCTP common Header of the SCTP packets, all >>>> decisions >>>>> are based on [Source-IP:Source:Port;Destination-IP:Destination-Port] and VTAG. >>>>> The reason why VTAG is read is to check that it's equal to zero, as this means that the packet >>>>> transports an INIT chunk. >>>> That is definitely simpler than what is required for draft-ietf-tsvwg-natsupp. >>>>> >>>>> >>>>> - Advantages towards natsupp draft version 22 >>>>> The proposed approach doesn't need the NAT devices to take care of VTAG handling. >>>>> The NAT device only needs local rules for creating a NAT Table entry as it doesn't need to > trace >>>> the >>>>> Association establishment. >>>>> The NAT table entries are only depending on a timer supervision, not on Association state. >>>>> There's no need for synchronization among NAT devices, consistency of NAT Tables among > different >>>> NAT >>>>> devices is kept automatically even in cases of restarts. >>>> I don't think draft-ietf-tsvwg-natsupp describes any synchronization methods between NAT >>> functions. >>>> [teiclap] Agree. >>>> >>>>> >>>>> NAT doesn't parse SCTP packets, thus NAT behavior doesn't depend on SCTP. >>>> I agree that your description does not require any chunk processing of SCTP packet, but is does >>> need >>>> to understand the SCTP common header (you refer to the verification tag). So the NAT does need >>>> to understand SCTP and act in an SCTP specific way. >>>> [teiclap] Correct. It does depend on SCTP, this part I need to rewrite. >>>> >>>>> The NAT device doesn't need to send any SCTP packet to the SCTP Endpoints. >>>>> Decisions at the SCTP Hosts are taken by means of interpreting the retransmissions and the >>>> timeouts, >>>>> collisions are solved by the client by choosing a different port numbers rather than a > different >>>>> VTAG. >>>> I don't understand that. An SCTP end-point can not change its local port number. A client >>>> application >>>> can retry connection setups. But how does the client application know that it has to retry with > a >>>> new end-point compared to the peer end-point is not available or there is some temporary network >>>> outage? >>>> [teiclap] Here I assumed that a port collision can be seen as temporary or permanent network >>> outage. >>> I understand your view, but I disagree... >>>> >>>> >>>>> >>>>> - Disadvantages towards natsupp draft version 22 >>>>> Handling of multiple Associations between the same SCTP Endpoints are not possible (this is not >>>>> permitted by RFC 4960 On the same source and destination port pairs ). >>>> And I wouldn't consider this a disadvantage. It is just a consequence of the way local port >> number >>>> collisions are handled. I think handling of local port number collisions is important (I think >>>> we disagree here), but I don't think more than one association between two end-points is >>>> feature which is required. >>>>> The limit of number of Association between hosts is given by the port number, it's not possible >>>> from >>>>> clients behind NAT to establish more than 64k Associations towards the same remote SCTP >> Endpoint. >>>> That is fine. I don't think any NAT variant must improve this limit. >>>>> Setup time for Associations in collision case takes longer. >>>>> >>>>> ----------------------------------------------------------------------------------------------- >>>>> >>>>> - Scope of the proposal >>>>> The scope of the proposal is the use of NAT in networks where SCTP clients and server are >>>>> instantiated with neither restrictions on the level of NAT hierarchically or horizontally, nor >> on >>>>> the adoption of multihoming. >>>>> In the scoped scenarios, NAT can be used for hiding SCTP clients, servers and for > implementation >>>> of >>>>> Load Balancing in the sense that multiple SCTP servers are hidden and the choice of the one >>>> serving >>>>> the client is decided by the NAT function implementing Load Balancing at Association >>> Establishment >>>>> time and kept for the Association Lifetime. >>>> I think load balancers are different from NAT function. A load balancer, in my view, gives a >>> single >>>> point of contact, but the actual traffic is managed by multiple other nodes. >>>> This is similar to an any-case service. A good way to deal with this would be that the clients >>> would >>>> send the packets containing the INIT chunks to the IP address of the load balancer. The load >>>> balancer >>>> would decide, which endpoint should deal with this particular association (the algorithm does > not >>>> need to be specified and I'm sure there are already a bunch of methods with IPRs). Then the >> actual >>>> end-point would send back an INIT-ACK with a specific parameter indicating the this INIT-ACK >>> belongs >>>> to the INIT which was sent to the address of the load balancer, but that particular address will >>> not >>>> be used anymore. This way the load balancer is not involver in the actual communication anymore. >>>> [teiclap] This is a new scenario that I didn't consider. All the Load Balancers I have seen so >> far >>>> are integrated with a NAT, but having a LB that can redirect without being NAT itself I have to >>>> think and write a Use Case for it. Thanks. >>>> >>>>> >>>>> The proposal doesn't require VTAG handling and the related avoidance/synchronization between >>>> server >>>>> instances, which the current proposal would require. >>>>> The NAT only does tracking individual paths, the egressing traffic creates return paths towards >>>> each >>>>> instance avoids the need for VTAG handling. >>>>> Tracking is thus handled by a single mechanism that is needed for all cases to deal with >> multiple >>>>> SCTP endpoints sending traffic towards the same remote address. >>>>> >>>>> >>>>> The following basic scenarios are considered >>>>> >>>>> 1) >>>>> +-------+ >>>>> [SCTP client C1]----------+ | >>>>> [SCTP client C2]----------+ NAT +----- >>>>> [SCTP client C3]----------+ | >>>>> +-------+ >>>>> Where SCTP Hosts implementing SCTP Endpoints C1,C2,C3 behave as pure clients, single-homed >>>>> >>>>> 2) >>>>> +-------+ >>>>> [SCTP server S1]----------+ | >>>>> [SCTP server S2]----------+ NAT +----- >>>>> [SCTP server S3]----------+ | >>>>> +-------+ >>>>> Where SCTP Hosts implementing SCTP Endpoints S1,S2,S3 behave as servers, single-homed >>>>> >>>>> 3) >>>>> +-------+ >>>>> [SCTP server S1]----------+ | >>>>> [SCTP server S1]----------+ LB +----- >>>>> [SCTP server S1]----------+ | >>>>> +-------+ >>>>> Where SCTP Hosts implementing a distributed SCTP Endpoint S1, behaving as a server, > single-homed >>>> I do see that different from NAT. There is no NAT necessary for this, just an address change >>> during >>>> the handshake. >>>> [teiclap] Correct, this is the integrated LB+NAT. I will fix it. >>>> >>>>> >>>>> 4) >>>>> >>>>> +--------------+ +-------+ >>>>> | + | | >>>>> |SCTP client C1+----------+ NAT +----- >>>>> | +----+ +--+ | >>>>> +--------------+ | | +-------+ >>>>> | | >>>>> +--------------+ | | +-------+ >>>>> | +--- |--+ | | >>>>> |SCTP client C2| +-----+ NAT +----- >>>>> | +----------+ | >>>>> +--------------+ +-------+ >>>>> Where SCTP Hosts implementing SCTP Endpoints C1,C2 behave as pure clients, multi-homed >>>>> >>>>> 5) >>>>> +--------------+ +-------+ >>>>> | + | | >>>>> |SCTP server S1+----------+ NAT +----- >>>>> | +----+ +--+ | >>>>> +--------------+ | | +-------+ >>>>> | | >>>>> +--------------+ | | +-------+ >>>>> | +--- |--+ | | >>>>> |SCTP server S2| +-----+ NAT +----- >>>>> | +----------+ | >>>>> +--------------+ +-------+ >>>>> Where SCTP Hosts implementing SCTP Endpoints S1,S2 behave as servers, multi-homed >>>>> >>>>> 6) >>>>> +--------------+ +-------+ >>>>> | + | | >>>>> |SCTP server S1+----------+ LB +----- >>>>> | +----+ +--+ | >>>>> +--------------+ | | +-------+ >>>>> | | >>>>> +--------------+ | | +-------+ >>>>> | +--- |--+ | | >>>>> |SCTP server S1| +-----+ LB +----- >>>>> | +----------+ | >>>>> +--------------+ +-------+ >>>>> Where SCTP Hosts implementing a distributed SCTP Endpoint S1, behaving as a server, multi-homed >>>>> >>>>> 7) >>>>> Any complex scenario built with those such as: >>>>> >>>>> +-------+ >>>>> [SCTP client C1]----------+ | >>>>> [SCTP client C2]----------+ NAT +-----+ >>>>> [SCTP client C3]----------+ | | >>>>> +-------+ | +------+ >>>>> +----+ | >>>>> [SCTP server S1]-----------------------------+ LB +------- IP A >>>>> [SCTP server S1]-----------------------------+ | >>>>> +-------+ +-------+ | >>>>> [SCTP client C4]----------+ | | +------+ >>>>> [SCTP client C5]----------+ NAT +--+ >>>>> +----+ | >>>>> +--------------+ | +-------+ >>>>> | +-----+ >>>>> |SCTP server S2] +-------+ >>>>> | +----------+ | >>>>> |--------------+ | NAT +------------------------- IP B >>>>> [SCTP client C6]----------+ | >>>>> [SCTP server S4]----------+ | >>>>> +-------+ >>>>> >>>>> >>>>> In the example above clients C1, C2, C3, C4, C5 and servers S1 and S2 share the same external > IP >>>> A, >>>>> client C6 exploits the external IP B and server S3 is multihomed and exploits IP A and IP B. >>>> Server >>>>> S4 exploits IP B as well. >>>>> >>>>> Server S1 and S2 are seen as a single, distributed SCTP Endpoint, NAT LB does inspect >> Association >>>>> requests and assigns the serving SCTP host based on a Load Sharing algorithm. >>>> Except the the LB, one can argue which scenarios need to be supported. But, except LB, all of >> them >>>> are fine. >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------------------------------- >>>>> ----- >>>>> >>>>> It's important to state that unless being part of a SCTP Distributed Endpoint, the port number >>>> used >>>>> when defining the SCTP Endpoints of a SCTP server behind a NAT need to be unique. >>>> That is the fundamental difference between your proposal and the one in > draft-ietf-tsvwg-natsupp. >>>> draft-ietf-tsvwg-natsupp does assume that handling of local port number collisions is required, >>>> whereas >>>> your proposal does assume that it is not required. >>>> [teiclap] I need to specify it better. One of the problem with SCTP server behind NAT is that >>>> there's no way for selecting which one if the same port is used. I meant that when instantiating >>>> SCTP Endpoints behind NAT, the port number assignment needs to be planed for avoiding clients to >>> be >>>> connected to the wrong server. >>>> >>>>> - What is kept from the draft natsupp v22 >>>>> Similar to what described in the current draft-ietf-tsvwg-natsupp there's the need of a >>>> cooperation >>>>> between SCTP Hosts and NAT device in order to allow Association setup and traffic exchange. >>>>> The NAT devices will take a lookup table that is meant to keep the state of the Association >>>> limited >>>>> to what is needed in NAT. >>>>> NAT has a functions for searching the lookup table and take a decision based on the results. >>>>> >>>>> The SCTP Endpoint takes the responsibility to take decisions based on the feedbacks received >> from >>>>> the network in order to setup the Association. >>>>> >>>>> An Association is established towards the primary peer interface first, then the other paths >> that >>>>> belong tp a multihomed association are added by means of ASCONF messages. >>>>> >>>>> The following extensions are taken (Only needed for Optional Part) >>>>> ----------------------------- >>>>> >>>>> Extended ERROR Chunk >>>>> >>>>> 0 1 2 3 >>>>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>> | Type = 9 | Reserved |M|T| Length | >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>> \ \ >>>>> / zero or more Error Causes / >>>>> \ \ >>>>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>>>> >>>>> The ERROR chunk defined in [RFC4960] is extended to add the new 'M >>>>> bit'. The M bit indicates to the receiver of the ERROR chunk that >>>>> the chunk was not generated by the peer SCTP endpoint, but instead by >>>>> a middle box. >>>>> >>>>> ---------------------------------------------------------------------------------------------- >>>>> Proposal in details >>>>> ---------------------------------------------------------------------------------------------- >>>>> >>>>> The NAT functionality takes care of SCTP packets in EGRESS meaning that the SCTP packet is >>>>> originated from an SCTP host that is located behind the NAT itself, as well as SCTP packets in >>>>> INGRESS meaning that the SCTP packets are originated from the external network. >>>>> NAT learns about Associations by inspecting the SCTP Header only, it has knowledge of >>>>> [Source.IP:Source.Port;Dest.IP:Dest.Port]; a timer supervision exists at association level that >>>>> removes the Association information from the NAT after a timer expires. >>>>> NAT needs to recognize INIT chunks, this is achieved by looking at SCTP header since INIT must >> be >>>>> transported in a SCTP packet with VTag=0. >>>>> There's no Signaling between NAT and the SCTP host, rather SCTP host understands the NAT >> behavior >>>> as >>>>> it will experience retransmission faults when the NAT device cannot forward the SCTP packets. >>>>> >>>>> In details, the implementation of what proposed in this paper allows: >>>>> * Client in NAT environment to establish multihomed associations towards remote Servers >>>>> * Server in NAT environment to establish multihomed associations from remote Clients >>>>> * Client or Server in NAT environment to establish multihomed associations towards legacy RFC >>>>> 4960 peers >>>>> * NAT devices to cope with multihomed SCTP traffic >>>>> * NAT devices to cope with restart (with limitations) >>>>> >>>>> Limits of the proposed paper are described below: >>>>> * Network Address and Port Translation (NAPT) is not supported. >>>>> * Limited amount of possible association towards the same remote host (16 bit). >>>>> * Restart in NAT devices under some circumstances can go in race condition. >>>>> * Limited interwork with legacy SCTP Host >>>>> * Multiple Associations between the same SCTP Endpoints are not supported >>>>> >>>>> >>>>> >>>>> NAT device SCTP specialization >>>>> ============================== >>>>> >>>>> NAT need to implement NAT forwarding table for SCTP containing the information related to SCTP >>>>> Association as well as the forwarding. >>>>> NATTableEntry ::= [Source.IP:Source.Port;Dest.IP:Dest.Port;fwd.IP;NATTimer] >>>>> >>>>> Since Distributed SCTP Endpoint is supported, there are NAT that have multiple choices for >>>>> forwarding packets, i.e. there are multiple hosts having an SCTP Server at the same SCTP Port. >>>>> >>>>> SCTP Parsing >>>>> ------------ >>>>> In order to handle SCTP packets, NAT needs to discriminate packets containing an INIT chunk. >> This >>>> is >>>>> achieved by checking the Destination VTag in the SCTP Header, because SCTP packets containing >>> INIT >>>>> chunk have VTag = 0. >>>>> >>>>> Load Balancers >>>>> -------------- >>>>> A Load Balancer is a node in the network that hides the instantiation of an SCTP Endpoint over > a >>>> set >>>>> of SCTP Hosts in a local network. >>>>> The Load Balancer at INIT will select one SCTP Host for handling it, the traffic related to the >>>>> resulting Association will be NATted towards the chosen host. >>>>> When a INIT packet reaches a Load Balancer, there are multiple choices for the selected >>>>> Dest.Address:Dest.Port, LB will select one of the SCTP Hosts that can be elected for > terminating >>>> the >>>>> Association. It's out of scope of this paper the description of a selection algorithm. Note > that >>>>> multiple choices only applies to LB devices when INIT arrives as INGRESS. >>>>> >>>>> SCTP control functions >>>>> ---------------------- >>>>> NAT implementations provide the following functions: >>>>> >>>>> boolean lookupNAT(Source.IP, Source.Port, Dest.IP, Dest.Port) >>>>> returns TRUE if an entry in NATTable matches the given 4-tuple >>>>> >>>>> boolean multipleDestination(Dest.Port) >>>>> returns TRUE is multiple hosts exist sharing the given SCTP port >>>>> >>>>> void createNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> creates an entry at the NATTable with the given SCTP Association >>>>> >>>>> void forwardPacket(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> locate the given SCTP association in NATTable, do NAT and forward the packet. >>>>> Reset the NATTimer tied to the entry. >>>>> >>>>> void discardPacket(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> silently discard the packet for the given Association >>>>> >>>>> void destroyNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> removes from NATTable the entry related to the given SCTP Association >>>>> >>>>> void sendINITError(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> sends an ERROR Chunk towards Source.IP,Source.port with parameter "INIT cannot be forwarded" >>>>> >>>>> >>>>> Meta-code of the NAT behavior >>>>> >>>>> INGRESS Packets : >>>>> if pkt==INIT >>>>> if lookupNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> // This is congestion case, since multiple associations between the >>>>> // same SCTP Endpoints are not supported, the packet is discarded >>>>> discardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>> Doesn't this mean that a retransmission of an INIT chunk is not possible? So if for whatever >>>> reason the first packet of an association containing an INIT chunk is dropped in the network, >>>> the whole association setup fails? >>>> [teiclap] INIT chunk wil be retransmitted according to the Endpoint rules. Since NAT will >> silently >>>> discard those INIT, the Endpoint will experience expiring the retransmission counter. >>> But this takes a loooooong time... >>>> >>>>> *** OPTIONAL sendINITError(Source.IP,Source.port,Dest.IP,Dest.port); *** >>>>> else >>>>> if MultipleDestination(Dest.Port) >>>>> // This case applies only on Load Balancers and only with INGRESS >>>>> // Here LB solves the distributed Endpoint >>>>> Choose a local Host according to the Load Balancer Rules >>>>> // ----------------------------------------------------- >>>>> createNAT(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> forwardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> else >>>>> if lookupNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> forwardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> else >>>>> discardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> >>>>> >>>>> EGRESS Packets : >>>>> if pkt==INIT >>>>> if lookupNAT(Source.IP,Source.port,Dest.IP,Dest.port) // This is congestion case >>>>> discardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>> This means that a local port number collision results in permanent packet loss for the >>>> INIT chunks. For the end-point this looks like a long term network outage. >>>> [teiclap] Correct. >>>> >>>>> *** OPTIONAL sendINITError(Source.IP,Source.port,Dest.IP,Dest.port); *** >>>>> else >>>>> createNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> forwardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> else >>>>> if lookupNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> forwardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> else >>>>> createNAT(Source.IP,Source.port,Dest.IP,Dest.port) >>>>> forwardPacket(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> >>>>> NATTimer Expiration : >>>>> destroyNAT(Source.IP,Source.port,Dest.IP,Dest.port); >>>>> >>>>> >>>>> NAT behavior with SCTP packets >>>>> ------------------------------ >>>>> In a NAT where the HB packets are EGRESS, according to NAT behavior they can be: >>>>> discarded - in such case the sender will experience rtx timeout >>>>> forwarded to the right SCTP host - in this case the peer will reply with proper SCTP Chunk >>>>> forwarded to the wrong SCTP host - in this case the wrong host will see an OOTB packet. >>>> Why would a packet be delivered to the wrong SCTP host? Destination addresses are not > translated. >>>> [teiclap] This is a corner case that may happen when the server is a distributed Endpoint in >>>> transversal network, so that there are different NATs on different paths of a multihoming >>>> association. If the Association is closed, the NAT tables will survive in the different NATs for >>>> different times. If a new association is established between the same Endpoints and the Load >>>> Balancer function selects a different SCTP Host, and still the path towards the old SCTP Host >>> exists >>>> because the related NAT hasn't removed the NAT-table entry yet, it's possible that packets are >>> sent >>>> to the old SCTP Host that will see them as OOTB. >>> Hmm. I assumed that a load balancer acts for incoming packets in a deterministic fashion. >>>> >>>>> >>>>> In a NAT where the HB packets are INGRESS, according to NAT behavior they can be: >>>>> discarded - in such case the sender will experience rtx timeout >>>>> forwarded to the right SCTP host - in this case the peer will reply with proper SCTP Chunk >>>>> forwarded to the wrong SCTP host - in this case the wrong host will see an OOTB packet >>>> Why would that be a wrong entry in the NAT binding table? >>>> [teiclap] Because it's an old entry belonging to an Association that has been closed. >>> Ahh, I see. >>>> >>>>> >>>>> >>>>> Data Formats: >>>>> >>>>> ERROR Chunk >>>>> New parameter : HB with Inconsistent VTag >>>>> New parameter : ASCONF with Inconsistent VTag >>>>> New parameter : INIT cannot be forwarded >>>>> >>>>> INIT Chunk Parameters: (may appear in INIT, INIT-ACK and ASCONF) >>>>> IP Addresses NOT CONFIRMED >>>>> >>>>> >>>>> SCTP Endpoint behavior >>>>> ====================== >>>>> An SCTP Endpoint receiving an OOTB packet will check: >>>>> - If it's an HB packet, whose 4-uple is consistent with an Association established at that Host >>>>> but VTags are not known, an ERROR signal "HB with Inconsistent VTag" will be sent back. >>>> How can that happen? >>>> [teiclap] Explained above, due to SCTP and NAT be asynchronous. >>>> >>>>> - If it's an ASCONF packet with "Address 0.0.0.0" and ERROR signal "ASCONF with Inconsistent >>>> VTag" >>>>> will be sent back. >>>>> - A legacy RFC 4960 SCTP Host on the other hand should send an ABORT, whilst implementations >>>> exist >>>>> that can be configured for silently discarding OOTB packets. >>>>> >>>>> An SCTP Endpoint receiving an ERROR Chunk with parameter "INIT cannot be forwarded" will check >>>>> whether it has been caused by an own INIT by verifying source and destination IP addresses, >> ports >>>>> and VTAG. In case it maps an own INIT Chunk, the SCTP Host will behave as in case of rtx >> timeout, >>>>> otherwise that chunk will be treated as an OOTB chunk. >>>>> >>>>> NAT and port forwarding: we are not considering port forwarding as a valid NAT case, an SCTP >> Host >>>>> behind a NAT that does port forwarding for that SCTP Host is the same as exposing the SCTP Host >>>>> directly on the external network, in this case there's no need to change what the NAT does. >>>>> >>>>> In the following description we assume that all NAT and Load Balancers implement the NAT >> behavior >>>> as >>>>> described above. The remote SCTP Host on the other hand may implement legacy rfc4960, this is >>>>> considered in the Use Case description. >>>>> >>>>> Use Cases: >>>>> >>>>> Client only cases: >>>>> 1. Single-homed vs single-homed >>>>> Client sends INIT packet, if it does not succeed it will retry with a different Source.port >>>>> number. >>>> Again. This requires the application to create a new end-point and re-try to establish a >>>> new association using the new local end-point. How can the application how that the problem >>>> is a local port number collision and no the peer being currently unreachable? >>>> [teiclap] Correct. The whole part with Endpoints and port number requires rewriting. >>>>> Reason why INIT/INIT-ACK doesn't succeed is assumed to be due to a congestion in any of the NAT >>>>> being part of the path between the SCTP Endpoints. >>>> The can be congestion on the patch between the SCTP end-points, I agree. But in case of a packet >>>> drop due to congestion or any other reason for packet drop, retransmitting the packet is a >>>> way to handle it. In case of a local port number collision, retransmission is not a way to > handle >>>> this. How can the sender distinguish these two scenarios? >>>> [teiclap] The sender cannot distinguish. >>>> >>>>> >>>>> 2. Single-homed vs multihomed (public IP addresses known to the multihomed peer) >>>>> Client sends INIT packet, if it does not succeed it will retry with a different Source.port >>>>> number. >>>> See above. >>>>> INIT-ACK packet contains a new option that indicates the list of IP addresses is NOT CONFIRMED >>>> I don't understand this. Whether addresses are confirmed or not are a local issue on the sender >>>> side, not something the peer specifies. If a peer using a private address talks to a peer with >>>> public addresses, but can locally decided to run send HBs to ensure NAT binding table entries >>>> are generated. No need to let this being controlled by the peer. The peer does not know if >>>> it is talking to nodes behind a NAT or not. >>>> [teiclap] The reason behind NOT CONFIRMED is to reduce the check for odd OOTB chunks to HB. I >>> agree >>>> that this part can be improved. >>>> >>>>> >>>>> Since the set of remote IP addresses is not CONFIRMED, client will start probing with HB. >>>> This can just be a local decision. >>>> [teiclap] Yes, this is a local decision. To be improved in the overall description. >>>> >>>>> >>>>> According to NAT Behavior above, the peers can experience >>>>> - HB-ACK : the IP address becomes CONFIRMED >>>>> - rtx timeout : the sender keep on probing that path according to RFC 4960 >>>>> - ERROR "HB with Inconsistent VTag" : the IP address used for HB is permanently unavailable >>>>> and the sender MAY try to probe it again after a certain time >>>> Why would this be send? >>>> [teiclap] Correct. This is possibly a mistake. I need to check again the Use Case. >>>> >>>>> - ABORT : after checking that the ABORT has been caused by HB by checking the Source.IP, in >>>>> case it's confirmed that ABORT has been caused by HB, the sender will threat it in the same > mode >>>> as >>>>> an ERROR "HB with Inconsistent VTag". >>>>> >>>>> Note that, due to the network configuration, the multihomed Association resulting may not be >>>>> complete as a set of paths may be not possible to establish. >>>>> >>>>> >>>>> 3. Multihomed vs multihomed (public IP addresses known to the multihomed peers) >>>>> Client sends INIT packet, if it does not succeed it will retry with a different Source.port >>>>> number. >>>> See above. >>>>> INIT packet contains a new option that indicates the list of IP addresses is NOT CONFIRMED. >>>>> INIT-ACK packet also contains a new option that indicates the list of IP addresses is NOT >>>>> CONFIRMED. >>>>> >>>>> When succeeding, since the set of remote IP addresses is not CONFIRMED, client and server will >>>>> start probing with HB. >>>> I do see that the client can put entries into the NAT binding table by sending HB to the public >>>> addresses of the peer. But I don't see how the server does know the public addresses or the >>> client. >>>> The client can not put its private addresses into the INIT chunk due to scoping rules. So even >>>> though the client is multihomed, the peer doesn't know this. >>>> [teiclap] This assumes that it's possible to have a local configuration in the SCTP Host where >>>> public IP addresses are stored. It depends on implementation. >>> I my view, an end-point only lists IP addresses it owns, not addresses it thinks the peer might >>> see them. It is very hard to know which addresses are observed by a peer. >>>> >>>>> >>>>> The behavior of the peers is the same as described above in case 2. >>>>> >>>>> Same as case 2, multihomed Associations may not be completed. >>>>> >>>>> 4. Multihomed vs multihomed (public IP addresses unknown to the multihomed peer) >>>> Just to be clear: In my view each node only knows its own addresses. These can be public or >>> private >>>> IP addresses (let us not consider link local addresses). So in 1., 2., and 3., the server has >>>> public IP addresses it knows. The client has private IP-addresses it knows, but not its public >>>> addresses seem by it peer. >>>>> This case begins as the single-homed vs single-homed case until the Association is established. >>>>> >>>>> The peers, independently, will start adding further IP addresses to the Association, one at a >>>>> time, since the public IP address is unknown, the SCTP Host only knows the local IP addresses > it >>>> can >>>>> use. >>>>> The SCTP Endpoint will use rfc6051, it will send an ASCONF signal with IP-address = 0.0.0.0 >>>> using >>>>> one of the internal IP address as source towards a CONFIRMED peer's IP address. >>>> That requires cross routing to be working. This might or might not work. It also requires >>>> specific handling at the sender (it must be able to control the outgoing interface). >>>>> >>>>> According to NAT Behavior above, the peers can experience >>>>> - ASCONF-ACK : the IP address is added to the Association and path probing can start as in >>>>> case 2. >>>>> - rtx timeout : the IP address used for ASCONF is permanently unavailable >>>>> - ERROR "ASCONF with Inconsistent VTag" : the IP address used for ASCONF is permanently >>>>> unavailable and the sender MAY try to probe it again after a certain time >>>>> - ABORT : after checking that the ABORT has been caused by ASCONF by checking the Source.IP, >>>>> in case it's confirmed that ABORT has been caused by ASCONF, the sender will threat it in the >>> same >>>>> mode as an ERROR "ASCONF with Inconsistent VTag". >>>> I don't understand the vtag mismatch cases. How can they occur? >>>>> >>>>> Same as case 2, multihomed Associations may not be completed. >>>>> >>>>> 5. Server Endpoint vs Server Endpoint >>>>> This is a special case where both Endpoint have a fixed and well-known port number that MUST be >>>>> used as Source.port in the Association establishment. In such case, only one host within a NAT >>>> zone >>>>> can establish one Association towards another host in another NAT zone. >>>>> >>>>> The Endpoint acting as Client sends INIT packet, if not succeed it will not try again but >>>> inform >>>>> the application that it's not possible to establish an Association. >>>> This mean that the single packet loss due to a temporary failure will result in a permanent >>> failure. >>>> [teiclap] I was not clear in the description. Retransmissions are kept according to rfc4960. >>> But then it takes a very long time to deal with local port number collisions. >>>> >>>>> >>>>> 6. NAT restart. >>>>> If a NAT restarts, the NAT table is lost and the following events can occur: >>>>> An existing association keeps on sending packets on the set of paths known by the peers. >>>>> According to the NAT rules, those SCTP packets will make NAT re-creating the proper NAT entries >>>>> from the EGRESS traffic perspective. >>>>> >>>>> Race condition may happen when one sctp host will send an INIT packet that will arrive at the >>>>> NAT before a traffic packet can restore the NAT entry. In such case INIT has overwritten the > NAT >>>>> entry that was previously used by the existing association. >>>>> We see this event as very rare to happen, and the reason for it is because NAT is a blocking >>>> Isn't his a form of a local port number collision? You say it is very rare. Just to be sure, >>>> you agree the the birthday paradoxon considerations apply here. >>>> [teiclap] Yes. >>>> >>>>> mechanism that doesn't provide full capacity. A multihomed configuration can help reducing the >>>>> blocking probability. >>>>> >>>>> The race condition can be partially solved if the NAT waits for a time long enough to cope with >>>>> all the associations data or HB transmissions. After that time it can be assumed that all the >>>>> Associations using that NAT will have rebuilt the related entries in the NATTable. >>>>> The solution would not handle INIT chunks during that observation time, after that INIT chunks >>>>> can be handled. >>>>> >>>>> 6. Timing considerations >>>>> SCTP exploits internal retransmission timers for detecting how NAT devices on the paths are >>>>> acting and uses timeouts in order to take decisions on how to setup the multihomed association. >>>>> Here, the shorter the timers the quicker the setup procedure, still assuming that the initial >>>> setup >>>>> can go into collision a number of times it may take a significant time to setup associations. >> RFC >>>>> 4960 provides a set of recommended values to be used for timers and retransmission attempts, > the >>>>> adoption of those timers would need to be reconsidered in the scope of the current paper. >>>> I think whatever is written in an RFC would need to give parameters to be used in the Internet. >>>> Parameters to be used in specific application scenarios (signalling networks for nG >> (n=3,4,5,...)) >>>> are not considered in these documents (I agree, that this is bad, but that is a different > story). >>>> >>>> However, it should be OK to give a timer value for the NAT timer used in the public Internet and >>>> put that in relation to the HB timer. I guess that is the only timer relevant for keeping the >>>> entries in the NAT binding table active. >>>>> >>>>> The current paper has a simple state machine at the NAT devices based on a supervision timer, >>>>> this is possible because SCTP sends traffic over all the paths at least at HB timing rate for >>> path >>>>> probing. Every time an SCTP Packet is forwarded, NATTimer is restarted. >>>>> The choice of NATTimer value SHOULD ensure that there are no rtx timeouts due to NATTimer >>>>> expiration, in fact NATTimer needs to cope with the slowest traffic case that is path probing, >> is >>>>> then recommended that NATTimer is larger than 2 times HB timer, but at the same time NATTimer >>> must >>>>> release a path as soon as it's not being used by an active Association, this would suggest a >>> value >>>>> that is as short as possible. >>>>> A good compromise seems to be 2 * HB timer < NATTimer < 2 * HB timer. >>>> There is no value for NATTimer which fulfils this constraint. I guess there is a typo? >>>> [teiclap] Sure! It's 2 * HB timer < NATTimer < 4 * HB timer >>> OK. I see. Sounds good. >>>> >>>>> >>>>> >>>>> 7. Association setup improvement (Optional) >>>>> It is possible to improve the setup time for an association if NAT device could help SCTP host >>>>> to take a quick decision in case of collision. >>>>> This feature is optional and MAY be implemented at the NAT device, whilst handling is mandatory >>>>> at the SCTP host. >>>>> When a NAT device will receive an INIT chunk, it will check whether it can be forwarded by >>>>> inspecting the NAT lookup table. If it cannot be forwarded, it MAY send an SCTP Packet >> containing >>>> an >>>>> ERROR Chunk with parameter "INIT cannot be forwarded". Since no association exists yet, and >>>> because >>>>> VTAG=0 cannot be used, the NAT device need to parse the received INIT chunk and retrieve the >>>>> Initiate Tag that will be used as VTAG. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>> >> > ==================================================================================================== >>>>> ======================== >>>>> >>>>> Ericsson >>>>> >>>>> Claudio Porfiri >>>>> System Developer >>>>> >>>>> Developer >>>>> BNEW DNEW NSV PPA RAN Infra Architecture >>>>> Mobile: +46761498209 >>>>> claudio.porfiri@ericsson.com >>>>> >>>>> >>>>> Ericsson >>>>> Isafjordsgatan 14E >>>>> 164 80,Stockholm >>>>> Sweden >>>>> >>>>> Our commitment to Technology for Good and Diversity and Inclusion contributes to positive > change >>>> in >>>>> the Networked Society. >>>>> Follow us on: Facebook LinkedIn Twitter >>>>> Legal entity:ERICSSON AB registration number 556056-6258, registered office in >>>>> This communication is confidential. Our email terms >>>>> www.ericsson.com/en/legal/privacy/email-disclaimer >>>> >>> >>> >> >
- [tsvwg] Alternative proposal for nat support of S… Claudio Porfiri
- Re: [tsvwg] Alternative proposal for nat support … Michael Tuexen
- Re: [tsvwg] Alternative proposal for nat support … Claudio Porfiri
- Re: [tsvwg] Alternative proposal for nat support … Michael Tuexen
- Re: [tsvwg] Alternative proposal for nat support … Claudio Porfiri
- Re: [tsvwg] Alternative proposal for nat support … Michael Tuexen
- Re: [tsvwg] Alternative proposal for nat support … Claudio Porfiri
- Re: [tsvwg] Alternative proposal for nat support … Michael Tuexen
- Re: [tsvwg] Alternative proposal for nat support … Claudio Porfiri
- Re: [tsvwg] Alternative proposal for nat support … Michael Tuexen
- Re: [tsvwg] Alternative proposal for nat support … Claudio Porfiri