IETF Logo Mail Archive

Re: [v6ops] draft-palet-v6ops-transition-ipv4aas discussion

Richard Patterson <richard@helix.net.nz> Mon, 30 April 2018 08:58 UTC

Return-Path: <richard@helix.net.nz>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08E9E126D3F for <v6ops@ietfa.amsl.com>; Mon, 30 Apr 2018 01:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=helix-net-nz.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfYjdEorUYmy for <v6ops@ietfa.amsl.com>; Mon, 30 Apr 2018 01:58:48 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB276126CC4 for <v6ops@ietf.org>; Mon, 30 Apr 2018 01:58:47 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id e20-v6so8739157itc.1 for <v6ops@ietf.org>; Mon, 30 Apr 2018 01:58:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=helix-net-nz.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=hCAvDYzOr4nHRBPkJt7M7/wxG9Y0toX1D9q0jM/BTNY=; b=QuOsxZcfSqDkpz6Bf9IhKc2RHU94Q9YZ/RcjPUQuPG9rViuhuKlY9A/aWMsH6Zs6V6 W0MmWbNO7VTagstcC0k/vmG3nZxfIIBwdfGUl27k5h7JuNR1qWEIuIhcs7NHCJkbAqzY ekqOMxtjT4+44w8FKjPE/Wi6i0MxRHmUrupwaADxpYzB89A8dBU6heSuLId5DWfux0sl H8/nzUGwUJYKabMTg20gNHQCsDakX7yxi9N18Ks39RSD3Bxr0VWU40s7UT6219TN80a4 GRXNlblBGe0W/Gt3X4SbX8rfu2jocjfAJ+Odvn4xZjxRjhknqypMK7XBzS7HYx2/+Vsv X1pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=hCAvDYzOr4nHRBPkJt7M7/wxG9Y0toX1D9q0jM/BTNY=; b=ehK9CfVyE8US/XwAaLj/uKug7Zn+AKP9sR+5Bh4AYxDqdsxmm+WmLhQFR0LdjKE+hU zQCUd1fIFXDx9h1B69I3a/XAipUB7DyNYWgDFILIFOw769T+94ygzLPReMp4oIxGnomH 8A+JG87+Eqe0UTW1yWLyitE90ajhOHMGDJXPzRhgB5NqBfochZ+JYi9d04BlgPd+nBk0 YWDMQoaWhwU6PK+06KvUjaaEsPKSyg96Cj9wS+DODdqveCZZVGiV+h7RHEHLHObKVPgV CpMB5yzFSu9vjhfao48OUZAgIq8v11mjOzUG/56Lfc62MDZyrbyd+NWQyoxCPYt6sSug G3GQ==
X-Gm-Message-State: ALQs6tAKzxflqIRHl2Jg3Db2aFWMQJS/Q6PFiCBRGsHEt9g3oKpew5OQ vdfKaithOVezj1Xzo1bwuymVupwv
X-Google-Smtp-Source: AB8JxZqYNiyy99VhXo9qOjDrtH08ozNPoIz/i/DYz7oyBMXcOr0RIh8AXaKWR57VcwOK8DTImQGbQA==
X-Received: by 2002:a24:1995:: with SMTP id b143-v6mr4262121itb.84.1525078726690; Mon, 30 Apr 2018 01:58:46 -0700 (PDT)
Received: from mail-io0-f179.google.com (mail-io0-f179.google.com. [209.85.223.179]) by smtp.gmail.com with ESMTPSA id e15-v6sm3104858ioc.54.2018.04.30.01.58.45 for <v6ops@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Apr 2018 01:58:45 -0700 (PDT)
Received: by mail-io0-f179.google.com with SMTP id d73-v6so9422356iog.3 for <v6ops@ietf.org>; Mon, 30 Apr 2018 01:58:45 -0700 (PDT)
X-Received: by 2002:a6b:30cd:: with SMTP id w196-v6mr11160822iow.183.1525078725719; Mon, 30 Apr 2018 01:58:45 -0700 (PDT)
MIME-Version: 1.0
References: <3A083AA8-41D3-4BF8-BE31-5071975B6F98@gmail.com> <CAHL_VyC1xUDDqZRz1r--u8nyuLaZRnsT0ZR7hzOw4HWUkgwPXg@mail.gmail.com> <52D64464-A1BB-4FFA-AA79-28B8953E3B93@gmail.com> <2D09D61DDFA73D4C884805CC7865E6114DD7F981@GAALPA1MSGUSRBF.ITServices.sbc.com> <ECDF4B32-1A4E-49A9-9255-091F2FEA78AF@gmail.com> <CAHL_VyBnRkmpNDcwqTTxu8DnUGFAdKgL+PB1pt9yFLQ==cM0aA@mail.gmail.com> <D8000940-273D-4C25-8B71-F75833B74462@consulintel.es> <787AE7BB302AE849A7480A190F8B93302DF126EC@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <694A1FF1-CA8C-42CC-87F3-789EA71807AE@employees.org> <787AE7BB302AE849A7480A190F8B93302DF12849@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAHL_VyA7AnhHQ6ktJ9ySTSjdrZ-JKZBpzJok8tLo+5Vhpcd4iw@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93302DF12AC0@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAHL_VyCrvfJeThcXEH+nJmHExju9yQsjdtU8-cMn47BBi_eTWQ@mail.gmail.com>
In-Reply-To: <CAHL_VyCrvfJeThcXEH+nJmHExju9yQsjdtU8-cMn47BBi_eTWQ@mail.gmail.com>
From: Richard Patterson <richard@helix.net.nz>
Date: Mon, 30 Apr 2018 08:58:35 +0000
X-Gmail-Original-Message-ID: <CAHL_VyDwBa0x2ksvUnLG-w3Tf7grzNx0qRebSGZscXhd4yLwag@mail.gmail.com>
Message-ID: <CAHL_VyDwBa0x2ksvUnLG-w3Tf7grzNx0qRebSGZscXhd4yLwag@mail.gmail.com>
To: "v6ops@ietf.org list" <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/oreXYgoiUepAiAzABwBrqrO2mFI>
Subject: Re: [v6ops] draft-palet-v6ops-transition-ipv4aas discussion
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 08:58:50 -0000

I'd like to reword the UPnP section to shift the focus a bit.  The content
is largely the same, but it should now highlight that UPnP SHOULD be
disabled when implementing an IPv4aaS mechanism, with exceptions for the
stateless methods, and when configured with an address sharing ratio of 1.

I also received some off-list comments about how the CE landscape hasn't
really changed and embraced the IGD:2 specs yet.  This is unfortunate as it
means they also lack the AddPinhole() function to manipulate the native
IPv6 firewall, although that's off topic for this draft.
So with that in mind, and following on from Med's comments, I'd like to
also add a SHOULD support the IGD:2 specs, if a CE chooses to implement
UPnP.


New proposed wording for §5:

"""
5. UPnP Support   (Removed "IGD-PCP IWF")

UPnP SHOULD be disabled by default on the CE Router when using an IPv4aaS
transition mechanism.

UPnP MAY be enabled when a CE is configured to use a stateless IPv4aaS
mechanism that allows unsolicited inbound packets through to the CE, such
as MAP or LW4o6, or when configured with a port set containing all 65535
ports, e.g. with an IPv4 address sharing ratio of 1.

If UPnP is enabled on a CE, the UPnP agent MUST reject any port mapping
requests for ports outside of the port set allocated to the CE Router.

UPnP MAY also be enabled on a CE configured for IPv4aaS mechanisms that
support PCP [RFC6887], if implemented in conjunction with a method to
control the external port mapping, such as IGD-PCP IWF [RFC6970].

A CE that implements a UPnP agent, SHOULD support the Open Connectivity
Foundation's IGD:2 specification, including the AddAnyPortMapping()
function.
"""
On Fri, 27 Apr 2018 at 13:46, Richard Patterson <richard@helix.net.nz>
wrote:

> On Fri, 27 Apr 2018 at 13:03, <mohamed.boucadair@orange.com> wrote:

> > I know some applications are still using IGD:1, but I hope they will
move
> to the IGD:2.

> When I was testing this nearly 4 years ago, I struggled to find CPEs with
> IGD:2 support.  Hopefully the landscape has changed now that IGD:1 has
been
> deprecated.
> But then as you say, we still need the applications to update their
> behaviour and adopt the looser AddAnyPortMapping() instead of the more
> specific AddPortMapping()

> I'd be more confident in RFC6970 as a useful mitigation then.

> -Rich

v2.23.0 | Report a Bug | By Email