Re: [tsvwg] I-D Action: draft-ietf-tsvwg-natsupp-16.txt

mohamed.boucadair@orange.com Wed, 15 July 2020 13:12 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BECD3A084A for <tsvwg@ietfa.amsl.com>; Wed, 15 Jul 2020 06:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73N6RfaUGKp0 for <tsvwg@ietfa.amsl.com>; Wed, 15 Jul 2020 06:12:03 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6533A0842 for <tsvwg@ietf.org>; Wed, 15 Jul 2020 06:12:03 -0700 (PDT)
Received: from opfedar00.francetelecom.fr (unknown [xx.xx.xx.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by opfedar25.francetelecom.fr (ESMTP service) with ESMTPS id 4B6Hpp1lwNz8tL6; Wed, 15 Jul 2020 15:12:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1594818722; bh=r/83PjXV2nr0Guxt+rwXSztXw7ZOpLoNggSsYhm4dAY=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=TQkHUv8RRBii3ilXaPEfmEESMqMAbQxX5+B9SJHm9o2U8SbNPLsbdUbKQ9uMxbhnN SOsmiNIReTi8FyAZukIQ50K3MdDjz6UwzEfmkphPI2R0FQZF6jX2xNBn+HLhYzg85T LoNakyfnNNmCe2/6K3ZogfilutLYw29ILkvOUgZmM+OPeB/4+TiLncPulM8RHDStFT LsXN4ezU0oI4VPSopW+o5/RoFD53nKZcB/3ErYIy9g3q4XWqeTpLWBZfb2ZGDfATvx rHJjEyN6gNULmfshNMFOu0I3NH87KAbkKigJ4jOyH5ihbM7cOua9yuGhl6qG2BNL0R LQ8t3RND5inQA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by opfedar00.francetelecom.fr (ESMTP service) with ESMTPS id 4B6Hpp0K6MzCqkv; Wed, 15 Jul 2020 15:12:02 +0200 (CEST)
From: <mohamed.boucadair@orange.com>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] I-D Action: draft-ietf-tsvwg-natsupp-16.txt
Thread-Index: AQHWWSx2V/JkZ8CJa0mEhFmJWSTrQ6kIlV3g
Date: Wed, 15 Jul 2020 13:12:00 +0000
Message-ID: <9842_1594818722_5F0F00A2_9842_128_4_787AE7BB302AE849A7480A190F8B9330314F980A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <158377886936.5575.9623052267692928298@ietfa.amsl.com> <4C917C1B-74C0-4E5E-B26C-3CD6A0B2544C@lurchi.franken.de> <787AE7BB302AE849A7480A190F8B93303148DE10@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <F3B1520B-593F-426A-8AC4-9B2371A82B37@lurchi.franken.de> <787AE7BB302AE849A7480A190F8B9330314902D1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <FC1544B5-87B1-4A46-BEA7-00541206883A@lurchi.franken.de>
In-Reply-To: <FC1544B5-87B1-4A46-BEA7-00541206883A@lurchi.franken.de>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/ZR1bh3f7gxB-SGFuxR5lCRUuLCY>
Subject: Re: [tsvwg] I-D Action: draft-ietf-tsvwg-natsupp-16.txt
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 13:12:05 -0000

Hi Michael, 

Thank you for these changes and also for the NEW text in the fragmentation section. 

I skimmed over the new version. This looks good overall but I still have some comments on fragmentation: 
 
* By "NAT function MUST support IP reassembly", do you mean "NAT function MUST reassemble"? Or do you have in mind a configuration knob to enable/disable the behaviour? 
* I still don't see why it is the responsibility of the NAT to reassemble packets. Of course, an implementation can decide to do so. 
* I prefer the behaviour in RFC6146 that says the following: 

==
   If the incoming IP packet contains a fragment, then more processing
   may be needed.  This specification leaves open the exact details of
   how a NAT64 handles incoming IP packets containing fragments, and
   simply requires that the external behavior of the NAT64 be compliant
   with the following conditions:

      The NAT64 MUST handle fragments.  In particular, NAT64 MUST handle
      fragments arriving out of order, conditional on the following:

      *  The NAT64 MUST limit the amount of resources devoted to the
         storage of fragmented packets in order to protect from DoS
         attacks.

      *  As long as the NAT64 has available resources, the NAT64 MUST
         allow the fragments to arrive over a time interval.  The time
         interval SHOULD be configurable and the default value MUST be
         of at least FRAGMENT_MIN

      *  The NAT64 MAY require that the UDP, TCP, or ICMP header be
         completely contained within the fragment that contains fragment
         offset equal to zero.

      For incoming packets carrying TCP or UDP fragments with a non-zero
      checksum, NAT64 MAY elect to queue the fragments as they arrive
      and translate all fragments at the same time.  In this case, the
      incoming tuple is determined as documented above to the un-
      fragmented packets.  Alternatively, a NAT64 MAY translate the
      fragments as they arrive, by storing information that allows it to
      compute the 5-tuple for fragments other than the first.  In the
      latter case, subsequent fragments may arrive before the first, and
      the rules (in the bulleted list above) about how the NAT64 handles
      (out-of-order) fragments apply.

      For incoming IPv4 packets carrying UDP packets with a zero
      checksum, if the NAT64 has enough resources, the NAT64 MUST
      reassemble the packets and MUST calculate the checksum.  If the
      NAT64 does not have enough resources, then it MUST silently
      discard the packets.  The handling of fragmented and un-fragmented
      UDP packets with a zero checksum as specified above deviates from
      that specified in [RFC6145].
==

In any case, I'm afraid you will need to add details such as: amount of time/resources a NAT can wait for out of order fragments. You may reuse some of the text from RFC 6146, including the default frag timeout.

* Consider this change to align with REQ-13 of RFC4787:

OLD:
   When an SCTP packet has to be fragmented by the NAT function and the
   IP header forbids fragmentation a corresponding ICMP packet SHOULD be
   sent.

NEW:
   When an SCTP packet has to be fragmented by the NAT function and the
   IP header forbids fragmentation, the NAT MUST send back an ICMP message 
   "Fragmentation needed and DF set" to the internal host.

* Consider aligning with RFC7857#section-10:

   A NAT SHOULD handle the Identification field of translated
   IP packets as specified in Section 5.3.1 of [RFC6864].

* Cite RFC4963 in the security section.

Hope this helps. 

Cheers,
Med

> -----Message d'origine-----
> De : Michael Tuexen [mailto:Michael.Tuexen@lurchi.franken.de]
> Envoyé : lundi 13 juillet 2020 17:44
> À : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@orange.com>
> Cc : tsvwg@ietf.org
> Objet : Re: [tsvwg] I-D Action: draft-ietf-tsvwg-natsupp-16.txt
> 
> >
> > Hi Michael,
> >
> > Your new "Basic network setup" is better. Thanks.
> OK, using it.
> >
> > I would add a note saying the following:
> >
> > "The NAT in the document refers to NAPT described in Section 2.2
> of [RFC3022], NAT64 [RFC6146], or DS-Lite [RFC6333]."
> Added.
> 
> Best regards
> Michael
> >
> > Cheers,
> > Med
> >
> >> -----Message d'origine-----
> >> De : Michael Tuexen [mailto:Michael.Tuexen@lurchi.franken.de]
> >> Envoyé : mardi 7 avril 2020 14:10
> >> À : BOUCADAIR Mohamed TGI/OLN
> >> Cc : tsvwg@ietf.org
> >> Objet : Re: [tsvwg] I-D Action: draft-ietf-tsvwg-natsupp-16.txt
> >>
> >>> On 3. Apr 2020, at 18:42, mohamed.boucadair@orange.com wrote:
> >>>
> >>> Hi Michael,
> >>>
> >>> Please see inline.
> >>>
> >>> Cheers,
> >>> Med
> >>>
> >>>> -----Message d'origine-----
> >>>> De : tsvwg [mailto:tsvwg-bounces@ietf.org] De la part de
> Michael
> >>>> Tuexen Envoyé : lundi 9 mars 2020 19:50 À : tsvwg@ietf.org
> Objet :
> >>>> Re: [tsvwg] I-D Action: draft-ietf-tsvwg-natsupp-16.txt
> >>>>
> >>>>> On 9. Mar 2020, at 19:34, internet-drafts@ietf.org wrote:
> >>>>>
> >>>>>
> >>>>> A New Internet-Draft is available from the on-line Internet-
> Drafts
> >>>> directories.
> >>>>> This draft is a work item of the Transport Area Working
> Group WG
> >> of
> >>>> the IETF.
> >>>>>
> >>>>>      Title           : Stream Control Transmission Protocol
> >> (SCTP)
> >>>> Network Address Translation Support
> >>>>>      Authors         : Randall R. Stewart
> >>>>>                        Michael Tuexen
> >>>>>                        Irene Ruengeler
> >>>>> 	Filename        : draft-ietf-tsvwg-natsupp-16.txt
> >>>>> 	Pages           : 47
> >>>>> 	Date            : 2020-03-09
> >>>> Dear all,


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.