IETF Logo Mail Archive

Re: [v6ops] [BEHAVE] protocols without need for ALG ?

🔓Dan Wing <dwing@cisco.com> Fri, 31 July 2015 18:41 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98171B3476; Fri, 31 Jul 2015 11:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.21
X-Spam-Level:
X-Spam-Status: No, score=-13.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_BACKHAIR_37=1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqYmTZNh6qtt; Fri, 31 Jul 2015 11:41:43 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3614B1B3472; Fri, 31 Jul 2015 11:41:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13157; q=dns/txt; s=iport; t=1438368103; x=1439577703; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=fusxcXN+BnkpsK6oNMqDohRb1ve9KbfWIIUgCWgPdL4=; b=WbUXdOMXL07R5tg+gMxWVFTCTqpRI3jkhRU622q6bn+AFej7uPp5MpCo U44VTa6zDawAWaFceaBqAcqIEZMGQQFn9RQcOjQEIFkfu+ZiTapUlcIoT h86MhTbX0NqNkp2N+NOoobQ7Z8BFo1XttuA5xEPrsvy4QkZ44/Gg6bkLV c=;
X-IronPort-AV: E=Sophos; i="5.15,586,1432598400"; d="scan'208,217"; a="16718101"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-5.cisco.com with ESMTP; 31 Jul 2015 18:41:42 +0000
Received: from [10.24.84.19] ([10.24.84.19]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t6VIffMi005487 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 31 Jul 2015 18:41:42 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_B38AB86B-252E-4DDA-9ADB-7683EFF0B9D4"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: 🔓Dan Wing <dwing@cisco.com>
In-Reply-To: <CAD6AjGSKc0jGSkgSKdMsY1gZwYYguJQ06f4nZsWEqBdR9J3e6w@mail.gmail.com>
Date: Fri, 31 Jul 2015 11:41:40 -0700
Message-Id: <43CF0BAE-637D-4462-B067-3ED16E7A5D29@cisco.com>
References: <20150730205806.GI1667@cisco.com> <CAD6AjGSKc0jGSkgSKdMsY1gZwYYguJQ06f4nZsWEqBdR9J3e6w@mail.gmail.com>
To: Ca By <cb.list6@gmail.com>, Toerless Eckert <eckert@cisco.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/Gt63Xgv9q7ST1U3vnj9TJY-Fb-Q>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [v6ops] [BEHAVE] protocols without need for ALG ?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 18:41:45 -0000

On 31-Jul-2015 06:37 am, Ca By <cb.list6@gmail.com> wrote: 
> 
> 
> On Thursday, July 30, 2015, Toerless Eckert <eckert@cisco.com <mailto:eckert@cisco.com>> wrote:
> For autonomic networking (ANIMA WG), we are planning to rely only on IPv6 for initial
> autonomic connectivity, and the question of connecting this (at least initially)
> to IPv4 only NOC equipment came up. Alas, IPv6 support in transport seems to be still
> weak on a range of commonly used NOC tools.
> 
> 
> Ehhh. For something as forward looking as anima , it is unfortunate that you believe you will need to bring this technical debt with you. 

+1.  Let's please kill ALGs.


See below.


> My suggeation is that you require ipv6 for this case. If you do not shed this requirement now, you will carry it with you forever. 
> 
> The iphone can require ipv6 apps, so can anima. 
> 
> CB
>  
> If i understand the NAT RFCs and behave output correctly, we primaerily
> want ALGs to go the way of the dodo, so i was wondering if there might be
> any crucial protocols between typical NOC equipment and network devices that
> would require ALGs. And better of course:knowing which protocols would be fine
> without ALG.
> 
> Are there any lists about this (eg: what requires ALG ?)
> 
> Wrt to what seems to be important between NOC and network devices:
> 
>    FTP     - NOK (requires ALG) - IMHO not a problem

FTP is a troublesome case.  All modern FTP clients default to using PASV -- IE 6 was the last holdout that didn't do PASV and thus broke with NAT or required an FTP ALG.  However,  PASV doesn't work with IPv6 servers which need EPSV.  So certain NAT46 and NAT64 cases will break unless there is an FTP ALG.  Hence, BEHAVE wrote RFC6384 which explains NAT64 case, but there isn't a document explaining the 464XLAT situation with FTP.  Better to just declare FTP dead.  Passive (both PASV and EPSV) are vulnerable to a connection theft (see http://cr.yp.to/ftp/security.html <http://cr.yp.to/ftp/security.html>).  For whatever it's worth, both Chrome and Firefox have open bugs to remove FTP from both of those browsers.

Instead of FTP, profile that anima has to use HTTP or HTTPS.


>    traceroute - ??  (initiated from v4 NOC) ??

OK.


>    telnet  - OK
>    ping    - OK ?
>    SSH/SCP - OK
>    syslog  - OK
>    TFTP    - OK ?


TFTP breaks if the NAT (or firewall) have Address and Port-Dependent Filtering behavior (defined at https://tools.ietf.org/html/rfc4787 <https://tools.ietf.org/html/rfc4787>#section-5).  This is because TFTP client sends a packet to the server's port 69, and the server's response is sent from an ephemeral port (rather than from port 69).  Some NATs and some firewalls change their filtering behavior if the destination port is 69, and because behavior changes based on the application (TFTP) many people would consider that to be an "ALG", although the NAT is not modifying the application payload, which is arguably the strict definition of an ALG.

Instead of FTP, profile that anima has to use HTTP or HTTPS.


>    radius  - OK ? (i ran some tests, seemed to be fine)
>    diameter/tacacs+ - OK ?
>    NTP     - OK ???
> 
>    For the following, that have extensible data-models (MIBs/OIDs, XML schema etc.),
>    i can see that some NOC tools relying on them might not support data-models
>    with IPv6, but that would be "fine" (aka: can't manage everything from such tools,
>    but transport stack works):
> 
>    netconf - OK ?
>    SNMP    - OK ?

SNMP often contains IP addresses (e.g., IP address of configured interfaces) which can confuse a management system that isn't aware of NAT.  We certainly don't want an ALG to fiddle with SNMP, though, that would be a nightmare.  Polling SNMP across a firewall or NAT is problematic or impossible (and ALG can't fix that).

-d


> 
> Whats the next most important NOC<->network management protocols... ?
> 
> Thanks!
>     Toerless
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org <javascript:;>
> https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email