[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The argument for writing a general purpose NAT for IPv6

To: IETF V6OPS WG <v6ops@ops.ietf.org>
Subject: Re: The argument for writing a general purpose NAT for IPv6
From: james woodyatt <jhw@apple.com>
Date: Fri, 20 Apr 2007 23:09:35 -0700
In-reply-to: <02bd01c783b9$959b7490$c0d25db0$@net>
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <200704111052.05934@auguste.remlab.net> <F26D69F6-8BEE-4D3D-A5B4-C730E9975DA1@apple.com> <200704112214.30985@auguste.remlab.net> <F65A3EA3-3E07-4C63-A4FF-C94832D556FC@apple.com> <70C6EFCDFC8AAD418EF7063CD132D06404352E36@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <courier.46248EB6.00006E0C@softhome.net> <1F310BCB-2EE0-441B-BB2F-67DF3EA6ABF4@apple.com> <AC0FBA28-A14B-466E-B1D6-16E4F4EB2036@muada.com> <1139442A-99C2-458D-A7ED-0833D3CFE358@apple.com> <0829DAE3-60A9-4918-8834-715B93665D39@muada.com> <02bd01c783b9$959b7490$c0d25db0$@net>

On Apr 20, 2007, at 19:05, Tony Hain wrote:

I am trying to catch up here, and I don't think I understand theentirepicture. On one hand it looks like you are trying to insert atransparentapplication proxy for the purpose of applying inbound policywithout userintervention. On another it looks like the only thing that you aretrying to
proxy are the control protocols for a couple of specific use cases. In
either case, the problem statement looks more like a perceived need to
transparently redirect traffic off its normal routing path. For theexamplegiven of the AirPort, it would be on-path by nature of itspackaging so itwould have access to implement the policies before forwardingwithout the
need for any nat function. If I misunderstood please correct me.


I think you understand correctly.  I have both of these concerns.

On the one hand, there are certain applications that work over IPv4/NAT today, which do not work over IPv6 in the default configurationof AirPort Extreme because the IPv6 SPI filter blocks inbound flows.These applications are handled properly in the IPv4/NAT case byapplication layer gateways (ALG).

On the other hand, I have the additional concern that we may neverhave a method of enabling the utility of new peer-to-peer applicationprotocols (which nameless boffins are busy designing in theirbasement laboratories even as I write, and which scale better andwork more efficiently if no relays need to be reachable in the middleof the network) *without* having to deploy ALG's everywhere in theInternet to support them. (See below for more of my thoughts aboutthat.)

If the future IPv6 Internet turns out to be one very much like theexisting IPv4/NAT Internet, then I'm going to need to be able todeploy ALG's quickly and easily as new application protocols emerge.That gives me pause, because I already know how the need for ALG'sgives rise to the need for NAT, and I'm really *NOT* excited aboutthe idea of making a name for myself as the guy who brought NAT to IPv6.

It would be useful to understand a deployment scenario where thenormalstate would be to intentionally divert traffic off the routing pathto amiddle box. In particular, it would need to be clear why that wouldnot bedone by encapsulating at the diversion point, or even simpler byforcing thedevice to be on-path by aggregating the policy impacted nodesbehind it on a
dedicated subnet.

This is, I want to be careful to admit up front, a bit speculative.I may be out of my depth, and I'm hoping to be corrected if myunderstanding is wrong. Here's one possible scenario that seems likethe general case that has me concerned:

Consider the case of an application layer gateway for RTSP deployedin the firewall for a large population of endpoint nodes, i.e.numbering in the hundreds of thousands or even millions. Grant thatmuch of the RTP/RTCP traffic will be sent from media servers toclients on different paths than the reverse path from the RTSPservers. Also grant that the fraction of endpoints using RTSP at anygiven time is small enough that the network can be provisioned withvastly fewer RTSP proxy nodes than stateful packet inspectionfirewall/routers.

In this scenario, diverting the RTSP stream from the firewall/routerto the RTSP proxy transparently should probably be done byencapsulation rather than NAT, but let's be honest about how thiswill probably be developed in practice. Once you've already got anRTSP proxy that works using NAT to redirect into a node-localinterface address (just like your existing RTSP proxy already doeswith IPv4), the shortest path to getting your larger scale RTSP proxysystem up and running is to reuse the mechanism you already havegoing. Rather than encapsulate (which comes at the price of havingto write the code that decapsulates at the other end of the tunneland still lets TCP process the packets and present an octet stream tothe proxy function), you just redirect with the NAT to an RTSP proxynode at a different address. This is much easier. That's howdevelopers will do it. I know that's how *I'M* currently planning todo it.

The idea of forcing the client devices to be on-path by aggregatingthe policy impacted nodes behind it on a dedicated subnet seemsinteresting. What mechanism would you envision for doing that in thescenario outlined above?

I should also mention that my additional concern about applicationsthat haven't yet been developed is part of what has me champing foran alternative to deploying ALG's everywhere. It would be nice tohave a long-term solution that didn't require constant upgrades tothe middleware.

Self-organizing peer-to-peer applications seem to be generallyincompatible with stateful packet filters that block all inboundflows by default. I understand that many in the Internet engineeringcommunity don't consider this failure of end-to-end connectivity tobe a great loss, but I think ordinary users will be unhappy with thefinal consequences in terms of application usability unless someALG's are deployed to relax policy enforcement according to thespecific needs of applications that can benefit from them.

Solutions like STUN/ICE/whathaveyou will always depend on theexistence of two things that do not now exist: 1) a global peer-rendezvous service, and 2) a well-defined standard behavior forunmanaged IPv6 SPI firewalls. I can see problems ahead trying tobring up solutions for each of those problems. I don't see how wecan escape the need for ALG's, and probably NAT as well, by relyingonly on SPI side effects.

I do think there are ways to avoid the need for ALG's, but they'regoing to require a lot of socialization-- and that's why you see mehere trying to raise the visibility of these issues, partly byhighlighting the costs of not doing anything, and also by pointingout practical avenues of development that could lead to practicalsolutions.

While I would encourage a draft on an ICMP protocol type for pinhole
management to raise the issues, I think one the reasons that theIETF has
trouble in the policy management space is the carve-off-a-tiny-piece
approach to everything, particularly without any intent tounderstand theentire environment. Boiling the ocean is not productive, butdefining asystemic framework where the carved up pieces have some hope ofrelating toeach other (in some environments that might be called anarchitecture) iswhat the IETF lacks. We have a pile of piece-parts that have beendefined tosolve someone's hot-button, but nothing works together in a waythat allowsa consistent policy to be implemented across a range of functionalneed.

Perhaps, now would be a good time to reiterate that Apple designedthe NAT-PMP protocol intending for it not to be easily extended intomore than a transition mechanism for IPv4/NAT, only to be used untilIPv6 deployment is ubiquitous. It was a carve-off-a-tiny-pieceapproach because that was good architecture.

Everyone with whom I've talked about this at Apple believes that anyproposal for a permanent addition to IPv6 for firewalls to discoverapplication listeners will require an extremely thorougharchitectural review. Ideally, we'd like to see the members of IABjoin this discussion and offer whatever advice they think would helpthe working group build consensus around an architecturally soundsolution to the class of problems under discussion here.

It sounds like you might have a use case that the -nap- draft doesnot dealwith. I was presented with another a couple of weeks ago. I do notwant toderail the effort to get the current doc out, because it needed tobe in RFCform about a year ago, but we should start on an update to it thatcoversissues the current doc misses and how to resolve them withoutresorting to
nat.

In the case of draft-ietf-v6ops-nap, the thing I was initially tryingto help avoid has now already happened in my immediate circles, i.e.product management has interpreted an INFO as a BCP. It turned out,much to my embarrassment, that this really wasn't much of a mistake,and that nobody really cares about the distinction between arecommendation in an INFO and the same recommendation in a BCP.

I do still think there is a huge, glaring, problem before the V6OPSgroup, involving 1) unmanaged IPv6 networks subject to policyenforcement by 2) unmanaged stateful packet filtering firewalls.Whether that's really an open problem in the NAP draft, I'll leave toothers to decide.



--
j h woodyatt <jhw@apple.com>

Follow-Ups:
- RE: The argument for writing a general purpose NAT for IPv6
  - From: "Tony Hain" <alh-ietf@tndh.net>

References:
- I-D ACTION:draft-ietf-v6ops-nap-06.txt
  - From: Internet-Drafts@ietf.org
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- RE: IPv6-PMP?
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: IPv6-PMP?
  - From: Thomas Narten <narten@us.ibm.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: EricLKlein@softhome.net
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: The argument for writing a general purpose NAT for IPv6
  - From: "Tony Hain" <alh-ietf@tndh.net>

Prev by Date: RE: Long term vs short term, was: Re: The argument for writing a general purpose NAT for IPv6
Next by Date: Re: Long term vs. short term
Previous by thread: RE: The argument for writing a general purpose NAT for IPv6
Next by thread: RE: The argument for writing a general purpose NAT for IPv6
Index(es):
- Date
- Thread