[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
Subject: Re: threats ID
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Sun, 25 Jan 2004 18:26:47 +0900
Cc: Multi6 List <multi6@ops.ietf.org>, Iljitsch van Beijnum <iljitsch@muada.com>
In-reply-to: <72848B4C-4E45-11D8-BCF8-000A95928574@kurtis.pp.se>
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es> <D88F1830-4B08-11D8-AC7E-000393CE1E8C@nomadiclab.com> <400D2075.8040207@necom830.hpcl.titech.ac.jp> <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com> <400DB734.8000307@necom830.hpcl.titech.ac.jp> <A048B8D8-4D6A-11D8-BCF8-000A95928574@kurtis.pp.se> <4010C470.7010606@necom830.hpcl.titech.ac.jp> <72848B4C-4E45-11D8-BCF8-000A95928574@kurtis.pp.se>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Kurt;

I think there is a notable difference. In my reading you are using NAT very loose for all forms of address rewrite. NAT to me does static rewrites, with no form of signaling.
Wrong. Rewriting is not the essential problem.

Right. The problem is lack of signaling OF *CONNECTIONS*.
As you might know, there is no connections and signaling at
the IP layer.

Right, but along the same lines of reasoning - NAT won't break anything at the _IP_ layer. It might break things at the ULPs though.

And the brokne ULPs need repairing, which means ULPs are modified.

Thus, the only thing NAT and other layer 3 things can do is
guessing the connection state by a lack of communication
for certain period of time, though, sometimes, you can detect
TCP SYN and FIN.

I would say that this is the difference between (most) of the proposals in multi6 and NAT. The proposals have provided mechanisms to let ULPs handle referrals, even when there is rewriting. Something that NAT does not provide.

Are you saying ULP modification necessary or not?

However, that you observe no traffic over a connection does
not necessarily mean that the connection is broken.

True. Which is also the topic of a long thread here some time ago.


It is an obvious evidence that NAT is a bad idea, which does
not worth a long thread.

There is no signaling unless layer 4 and above are involved,
though guessing may work for TCP.
The mechanisms to allow address rewrite will have to

a) Leave to the ULPs to handle connection state and connection verification. An aid in doing this might be to create a middle layer (the 3.5) which functions as a recording mechanism on state.


As there can be no such thing under UDP. such a middle layer, if any,
becomes layer 4 protocol specific and is a part of the layer 4
protocol. So, call it modified layer 4.

b) Provide a means to the ULPs to handle referrals transparently. Again, this can be done with a shim layer, or in other ways.

Are you saying you modify ULPs or not?

To dive into semantics, part of the problem/difference between multi6 proposals and NAT is the fact that NAT _is_ transparent to the ULPs and that no state is recorded at the end-nodes.

You misunderstand NAT.

NAT (including so called IP layer multi6 proposals) is no
transparent.

NAT does not have correct knowledge on information recorded at
the ULPs of the end that NAT can not properly interoperate with
them.

Masataka Ohta

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>

Prev by Date: Re: threats ID
Next by Date: Re: Reminder re multi6 drafts
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread