[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The argument for writing a general purpose NAT for IPv6

To: "'james woodyatt'" <jhw@apple.com>, "'IETF V6OPS WG'" <v6ops@ops.ietf.org>
Subject: RE: The argument for writing a general purpose NAT for IPv6
From: "Tony Hain" <alh-ietf@tndh.net>
Date: Thu, 26 Apr 2007 17:07:47 -0700
In-reply-to: <D7BFDD9F-10A1-4FAF-91D1-580292AC336E@apple.com>
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <200704111052.05934@auguste.remlab.net> <F26D69F6-8BEE-4D3D-A5B4-C730E9975DA1@apple.com> <200704112214.30985@auguste.remlab.net> <F65A3EA3-3E07-4C63-A4FF-C94832D556FC@apple.com> <70C6EFCDFC8AAD418EF7063CD132D06404352E36@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <courier.46248EB6.00006E0C@softhome.net> <1F310BCB-2EE0-441B-BB2F-67DF3EA6ABF4@apple.com> <AC0FBA28-A14B-466E-B1D6-16E4F4EB2036@muada.com> <1139442A-99C2-458D-A7ED-0833D3CFE358@apple.com> <0829DAE3-60A9-4918-8834-715B93665D39@muada.com> <02bd01c783b9$959b7490$c0d25db0$@net> <" C 118670B-0796-41EE-8 D7F -5BA88D885255"@apple.com> <013201c7884a$ddd093e0$9971bba0$@net> <D7BFDD9F-10A1-4FAF-91D1-580292AC336E@apple.com>
Reply-to: <alh-ietf@tndh.net>

james woodyatt wrote:
> I'm splitting up my replies to this to keep two different conceptual
> threads of discussion separate.
> 
> On Apr 26, 2007, at 14:35, Tony Hain wrote:
> >
> > First thing we need to do is agree on terminology, not that I know the
> > answer, but it appears that your definition of an ALG & mine are
> > different.
> >
> > To start with I would differentiate a signaling proxy from an ALG,
> > where the
> > former may be required for rendezvous but does nothing with the
> > content
> > stream, and the latter intercepts the content stream and in the
> > case of nat
> > modifies it to deal with embedded addresses.
> 
> I don't see any need for an IPv6 filtering ALG to modify the
> application content, even in the presence of the NAT function I'm
> talking about.  There is no need for more than one IPv6 address realm.

So essentially you are not really talking about an ALG or NAT at all. What
you have defined is a firewall rule that rather than just forward/drop adds
a state 'route via', then overwrites & restores the packet between the
firewall & the proxy. 

While that is a simple hack that would work within a single administrative
domain, I am not sure we want to standardize that as such. If it turns out
that the firewall can insert a routing header and push the real dst there
when overwriting with the proxy, then the proxy only has to do standard
extension header parsing.

> ...........
> 
> > This description screams out for use of the routing extension
> > header. Off
> > the top of my head it is not clear to me that the firewall could
> > insert one
> > without breaking something else, but if you don't want to write
> > decapsulation code at the receiver, the routing extension header
> > would allow
> > diverting traffic to it while maintaining the original destination.
> > Since
> > this is assumed to be 'transparent' the origin of the packet would
> > not know
> > the diversion destination, but if it were defined that RTSP always
> > carried
> > at least an empty routing header, then the firewall could move the
> > original
> > destination there and forward to the proxy. The extension header
> > parser in
> > the proxy would already know how to swap those back before
> > forwarding on.
> 
> I don't think the routing extension header is sufficient to solve the
> problem.  An application layer proxy has to be inserted into the
> transparently for the signaling of the filter to work properly.  I
> don't see how the routing extension header alone can be made to do that.

If the firewall inserts that extension, then pushes the original dst there,
that frees up the base header field for the proxy and results in 'standard'
extension header processing at the route-via point.

> 
> I'm prepared to admit that using the phrase "Network Address
> Translation" is a bit overloaded here, since we are just talking
> about diversion within the single, global IPv6 address realm, but the
> mechanism is basically the same.  The only difference is that it
> complicates the process of overwriting the IPv6 destination address
> by the need to also push a routing extension header.

Doing protocol design based on the ability to reuse existing code is not the
best practice. In any case the complexity is simply being moved around here.
If you take the nat approach, the proxy has to maintain state to restore the
packet. If you take the encapsulation approach, the proxy's stack will hand
up an intact packet ready to forward, rather than just the content so the
proxy parser would need to deal with that. If you take the extension header
approach the firewall has to move the original destination there before
overwriting the base with the address of the proxy. The lowest overhead
'stateless' of those is the last one, but I don't know if it breaks
anything, and I don't know if the proposed use would run into fragmentation
issues. As long as the end to end perceives that the packet sent was the
same as the packet received, if middle boxes mangle & restore it there is no
real problem. 

> 
> I'll agree, though, that defining a way to use routing extension
> headers for this purpose would be a very good idea, since that's
> necessary to make path MTU discovery in the presence of transparent
> application proxies not resident with filtering firewalls work properly.

I am buried right now, but in the next couple of months if you want to work
on an ID I would be happy to start one.

Tony

Follow-Ups:
- RE: The argument for writing a general purpose NAT for IPv6
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino 2.0)
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>

References:
- I-D ACTION:draft-ietf-v6ops-nap-06.txt
  - From: Internet-Drafts@ietf.org
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- RE: IPv6-PMP?
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: IPv6-PMP?
  - From: Thomas Narten <narten@us.ibm.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: EricLKlein@softhome.net
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: The argument for writing a general purpose NAT for IPv6
  - From: "Tony Hain" <alh-ietf@tndh.net>
- RE: The argument for writing a general purpose NAT for IPv6
  - From: "Tony Hain" <alh-ietf@tndh.net>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: The argument for writing a general purpose NAT for IPv6
Next by Date: Re: The argument for writing a general purpose NAT for IPv6
Previous by thread: Re: The argument for writing a general purpose NAT for IPv6
Next by thread: Re: The argument for writing a general purpose NAT for IPv6
Index(es):
- Date
- Thread