headers
Saikat Guha | 9 May 2005 07:16
Picon
Favicon

Re: Next rev on TCP Behavior

Comments inline. Sorry for the delay; it was a DLink NAT (not netgear).

On Tue, 2005-04-26 at 07:52 -0700, Pyda Srisuresh wrote:
> here is what I suspect might have happened. 
> 
> Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1052,B:3389)---> dropped
>          ==> NAT device created NAT session-1 (a:1024->A:1052,B:3389) 
> 
> Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1053,B:3389)---> dropped
>          ==> At this point or before, NAT device freed up NAT session-1.
>          ==> NAT device created NAT session-2 (a:1024->A:1053,B:3389) 
> 
> Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1054,B:3389)---> delivered
>          ==> At this point or before, NAT device freed up NAT session-2.
>          ==> NAT device created NAT session-3 (a:1024->A:1054,B:3389)

You are correct. This time I traced the traffic on both sides of the
NAT. If a SYN goes unanswered for about 2 seconds, the NAT frees up the
session and generates a RST for the internal stack. 

--

-- 
Saikat

Comments inline. Sorry for the delay; it was a DLink NAT (not netgear).

On Tue, 2005-04-26 at 07:52 -0700, Pyda Srisuresh wrote:
> here is what I suspect might have happened. 
> 
> Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1052,B:3389)---> dropped
(Continue reading)

Permalink | Reply | 501 comments |
headers
Pyda Srisuresh | 9 May 2005 08:10
Picon
Favicon

Re: How should NATs reject TCP packets? (was:: Re: Next rev on TCP Behavior)

Hi Saikat,

It seems I missed responding to this. Please see my comments inline below.

cheers,
suresh

--- Saikat Guha <sg266 <at> cornell.edu> wrote:

> On Wed, 2005-04-20 at 18:45 -0700, Pyda Srisuresh wrote:
> > [suresh] I believe, NAT should simply drop the TCP packets that are not
> > permitted. 
> 
> I am not in favor of this since this forces the other end to wait for a
> TCP timeout on a failed connect. 
>
[suresh] OK.

> > I believe, it is a BAD idea to generate RST pakets because that gives the
> > attacker clues when the attacker does port scan on the NAT device. Further,
> the
> > attacker could keep the NAT device busy generating RSTs.
> 
> I am not in favor of this either since 1) It forces the other end to
> abort immediately. 2) I agree that the NAT could be kept busy generating
> RSTs.
> 
[suresh] OK. we are in agreement for the same reasons.

> > [suresh] I believe, the NAT device may optionally send ICMP Destination
(Continue reading)

Permalink | Reply | 10 comments |
headers
Pyda Srisuresh | 9 May 2005 08:22
Picon
Favicon

Re: Next rev on TCP Behavior

OK. Sounds like, it doesnt matter how endpoint associations are made with
Symmetric NAT behavior. They all are equally unacceptable, right.

cheers,
suresh 
--- Saikat Guha <sg266 <at> cornell.edu> wrote:

> Comments inline. Sorry for the delay; it was a DLink NAT (not netgear).
> 
> On Tue, 2005-04-26 at 07:52 -0700, Pyda Srisuresh wrote:
> > here is what I suspect might have happened. 
> > 
> > Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1052,B:3389)---> dropped
> >          ==> NAT device created NAT session-1 (a:1024->A:1052,B:3389) 
> > 
> > Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1053,B:3389)---> dropped
> >          ==> At this point or before, NAT device freed up NAT session-1.
> >          ==> NAT device created NAT session-2 (a:1024->A:1053,B:3389) 
> > 
> > Host---(SYN,a:1024,B:3389)---> NAT---(SYN,A:1054,B:3389)---> delivered
> >          ==> At this point or before, NAT device freed up NAT session-2.
> >          ==> NAT device created NAT session-3 (a:1024->A:1054,B:3389)
> 
> You are correct. This time I traced the traffic on both sides of the
> NAT. If a SYN goes unanswered for about 2 seconds, the NAT frees up the
> session and generates a RST for the internal stack. 
> 
> -- 
> Saikat
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Hoffman | 9 May 2005 19:11

Re: WG last call: draft-ietf-behave-nat-udp-01.txt

At 2:10 AM +0200 4/26/05, Jiri Kuthan wrote:
>This is a BEHAVE Working Group Last Call for comments
>on draft-ietf-behave-nat-udp-01. This last call closes
>Tuesday May 12, 2005. Please post any final comments you
>have on this draft to this list by that date.

**Unnecessary specification of UDP**

In a few sentences in the document, UDP is mentioned as if it is the 
specific protocol being discussed, but TCP could be equivalently 
substituted in its place. These sentences should be made 
protocol-agnostic if they really are protocol-agnostic, which I think 
the following are. (Of course, there are still many UDP-specific 
sections in the document!)

4.1, first sentence, delete "UDP" because the same would be true for 
"TCP" and possibly other protocols.

4.3, first sentence, remove "UDP" because the timers are very 
unlikely to be different than TCP timers.

5.1, first sentence, remove "UDP" because the same would be true for 
"TCP" and possibly other protocols.

7, first sentence, remove "UDP" because the same would be true for 
"TCP" and possibly other protocols.

9, first sentence, remove "UDP" because the same would be true for 
"TCP" and possibly other protocols.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Francois Audet | 9 May 2005 20:02
Favicon

RE: WG last call: draft-ietf-behave-nat-udp-01.txt

Hi Paul,

Thank you for your careful reading of the document.

I agree with all your comments and will make the changes accordingly
unless there is opposition on the list.

Cheers.

> -----Original Message-----
> From: ietf-behave-bounces <at> list.sipfoundry.org
> [mailto:ietf-behave-bounces <at> list.sipfoundry.org] On Behalf Of
> Paul Hoffman
> Sent: Monday, May 09, 2005 10:11
> To: Jiri Kuthan; Ietf-behave <at> list.sipfoundry.org
> Subject: Re: [Ietf-behave] WG last call:
> draft-ietf-behave-nat-udp-01.txt
>
>
> At 2:10 AM +0200 4/26/05, Jiri Kuthan wrote:
> >This is a BEHAVE Working Group Last Call for comments
> >on draft-ietf-behave-nat-udp-01. This last call closes
> >Tuesday May 12, 2005. Please post any final comments you
> >have on this draft to this list by that date.
>
> **Unnecessary specification of UDP**
>
> In a few sentences in the document, UDP is mentioned as if it is the
> specific protocol being discussed, but TCP could be equivalently
> substituted in its place. These sentences should be made
> protocol-agnostic if they really are protocol-agnostic, which I think
> the following are. (Of course, there are still many UDP-specific
> sections in the document!)
>
> 4.1, first sentence, delete "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 4.3, first sentence, remove "UDP" because the timers are very
> unlikely to be different than TCP timers.
>
> 5.1, first sentence, remove "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 7, first sentence, remove "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 9, first sentence, remove "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 11, first two sentences, remove "UDP" because the same would be true
> for "TCP" and possibly other protocols.
>
>
> **Editorial**
>
> 1, fourth paragraph, remove "the" and change "off" to "of":
> "...control off middle boxes..."
>
> 1, last paragraph, RTP and other UDP-based protocols are said to run
> on top of UDP, so change "below" to "above".
>
> 4.2.3, first paragraph, "glare" should be "glaring".
>
> 5.1, second bullet, replace "...packets to Y..." with "packets to
> Y:any ..." to make it parallel with the other usage in the section.
>
> 7, last paragraph, after "methods" add "or protocols that try to be
> NAT-aware" to make it more general.
>
> 9, section title should be "ICMP Destination Unreachable Behavior"
> because that is the only type of ICMP behavior being discussed in the
> section.
>
> 10, section title should be "Fragmentation of Outgoing Packets" to
> emphasize that the entire section is about packets flowing in one
> direction.
>
> 10.1, end of first paragraph, add ", or other reasons" because there
> are many reasons why the MTU is set higher on the NAT.
>
> 10.1, third and fourth paragraph, "should" needs to be capitalized.
>
> 10.2, end of first paragraph, add "as specified in" before "RFC 1812".
>
> 11, first sentence, change "first or last" to "in any fragment"
> because there may be more than two fragments for the packet.
>
> 13, last paragraph, add "if done incorrectly" after "...a DoS
> opportunity" because many stacks correctly buffer fragments in a
> manner that doesn't make them susceptible.
>
>
> --Paul Hoffman, Director
> --Cybersecurity Association
> _______________________________________________
> Ietf-behave mailing list
> Ietf-behave <at> list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/ietf-behave
>
> 

<div>

<p>Hi Paul,
</p>

<p>Thank you for your careful reading of the document.
</p>

<p>I agree with all your comments and will make the changes accordingly
<br>unless there is opposition on the list.
</p>

<p>Cheers.
</p>

<p>&gt; -----Original Message-----
<br>&gt; From: ietf-behave-bounces <at> list.sipfoundry.org 
<br>&gt; [<a href="mailto:ietf-behave-bounces <at> list.sipfoundry.org">mailto:ietf-behave-bounces <at> list.sipfoundry.org</a>] On Behalf Of 
<br>&gt; Paul Hoffman
<br>&gt; Sent: Monday, May 09, 2005 10:11
<br>&gt; To: Jiri Kuthan; Ietf-behave <at> list.sipfoundry.org
<br>&gt; Subject: Re: [Ietf-behave] WG last call: 
<br>&gt; draft-ietf-behave-nat-udp-01.txt
<br>&gt; 
<br>&gt; 
<br>&gt; At 2:10 AM +0200 4/26/05, Jiri Kuthan wrote:
<br>&gt; &gt;This is a BEHAVE Working Group Last Call for comments
<br>&gt; &gt;on draft-ietf-behave-nat-udp-01. This last call closes
<br>&gt; &gt;Tuesday May 12, 2005. Please post any final comments you
<br>&gt; &gt;have on this draft to this list by that date.
<br>&gt; 
<br>&gt; **Unnecessary specification of UDP**
<br>&gt; 
<br>&gt; In a few sentences in the document, UDP is mentioned as if it is the 
<br>&gt; specific protocol being discussed, but TCP could be equivalently 
<br>&gt; substituted in its place. These sentences should be made 
<br>&gt; protocol-agnostic if they really are protocol-agnostic, which I think 
<br>&gt; the following are. (Of course, there are still many UDP-specific 
<br>&gt; sections in the document!)
<br>&gt; 
<br>&gt; 4.1, first sentence, delete "UDP" because the same would be true for 
<br>&gt; "TCP" and possibly other protocols.
<br>&gt; 
<br>&gt; 4.3, first sentence, remove "UDP" because the timers are very 
<br>&gt; unlikely to be different than TCP timers.
<br>&gt; 
<br>&gt; 5.1, first sentence, remove "UDP" because the same would be true for 
<br>&gt; "TCP" and possibly other protocols.
<br>&gt; 
<br>&gt; 7, first sentence, remove "UDP" because the same would be true for 
<br>&gt; "TCP" and possibly other protocols.
<br>&gt; 
<br>&gt; 9, first sentence, remove "UDP" because the same would be true for 
<br>&gt; "TCP" and possibly other protocols.
<br>&gt; 
<br>&gt; 11, first two sentences, remove "UDP" because the same would be true 
<br>&gt; for "TCP" and possibly other protocols.
<br>&gt; 
<br>&gt; 
<br>&gt; **Editorial**
<br>&gt; 
<br>&gt; 1, fourth paragraph, remove "the" and change "off" to "of": 
<br>&gt; "...control off middle boxes..."
<br>&gt; 
<br>&gt; 1, last paragraph, RTP and other UDP-based protocols are said to run 
<br>&gt; on top of UDP, so change "below" to "above".
<br>&gt; 
<br>&gt; 4.2.3, first paragraph, "glare" should be "glaring".
<br>&gt; 
<br>&gt; 5.1, second bullet, replace "...packets to Y..." with "packets to 
<br>&gt; Y:any ..." to make it parallel with the other usage in the section.
<br>&gt; 
<br>&gt; 7, last paragraph, after "methods" add "or protocols that try to be 
<br>&gt; NAT-aware" to make it more general.
<br>&gt; 
<br>&gt; 9, section title should be "ICMP Destination Unreachable Behavior" 
<br>&gt; because that is the only type of ICMP behavior being discussed in the 
<br>&gt; section.
<br>&gt; 
<br>&gt; 10, section title should be "Fragmentation of Outgoing Packets" to 
<br>&gt; emphasize that the entire section is about packets flowing in one 
<br>&gt; direction.
<br>&gt; 
<br>&gt; 10.1, end of first paragraph, add ", or other reasons" because there 
<br>&gt; are many reasons why the MTU is set higher on the NAT.
<br>&gt; 
<br>&gt; 10.1, third and fourth paragraph, "should" needs to be capitalized.
<br>&gt; 
<br>&gt; 10.2, end of first paragraph, add "as specified in" before "RFC 1812".
<br>&gt; 
<br>&gt; 11, first sentence, change "first or last" to "in any fragment" 
<br>&gt; because there may be more than two fragments for the packet.
<br>&gt; 
<br>&gt; 13, last paragraph, add "if done incorrectly" after "...a DoS 
<br>&gt; opportunity" because many stacks correctly buffer fragments in a 
<br>&gt; manner that doesn't make them susceptible.
<br>&gt; 
<br>&gt; 
<br>&gt; --Paul Hoffman, Director
<br>&gt; --Cybersecurity Association 
<br>&gt; _______________________________________________
<br>&gt; Ietf-behave mailing list
<br>&gt; Ietf-behave <at> list.sipfoundry.org 
<br>&gt; <a href="https://list.sipfoundry.org/mailman/listinfo/ietf-behave" target="_blank">https://list.sipfoundry.org/mailman/listinfo/ietf-behave</a>
<br>&gt; 
<br>&gt; 
</p>

</div>
Permalink | Reply | 0 comments |
headers
Senthil Sivakumar (ssenthil | 9 May 2005 20:13
Picon
Favicon

RE: WG last call: draft-ietf-behave-nat-udp-01.txt

A lot of text in this document is generic to both TCP and UDP but the applicability states
 
"This document only covers the UDP Unicast aspects of NAT traversal and does not cover TCP, IPSEC, or other protocols.  Since the document is for UDP only, packet inspection below the UDP layer (including RTP) is also out-of-scope."
 
We felt this while writing the TCP behavior draft where we had to refer to the UDP draft for generic issues.  The common requirements should be addressed in a seperate document, that will make both the TCP and UDP requirements concise and should not be interleaved in this UDP requirements draft.
 
Senthil

From: ietf-behave-bounces <at> list.sipfoundry.org [mailto:ietf-behave-bounces <at> list.sipfoundry.org] On Behalf Of Francois Audet
Sent: Monday, May 09, 2005 11:02 AM
To: 'Paul Hoffman'; 'Jiri Kuthan'; 'Ietf-behave <at> list.sipfoundry.org'
Subject: RE: [Ietf-behave] WG last call: draft-ietf-behave-nat-udp-01.txt

Hi Paul,

Thank you for your careful reading of the document.

I agree with all your comments and will make the changes accordingly
unless there is opposition on the list.

Cheers.

> -----Original Message-----
> From: ietf-behave-bounces <at> list.sipfoundry.org
> [mailto:ietf-behave-bounces <at> list.sipfoundry.org] On Behalf Of
> Paul Hoffman
> Sent: Monday, May 09, 2005 10:11
> To: Jiri Kuthan; Ietf-behave <at> list.sipfoundry.org
> Subject: Re: [Ietf-behave] WG last call:
> draft-ietf-behave-nat-udp-01.txt
>
>
> At 2:10 AM +0200 4/26/05, Jiri Kuthan wrote:
> >This is a BEHAVE Working Group Last Call for comments
> >on draft-ietf-behave-nat-udp-01. This last call closes
> >Tuesday May 12, 2005. Please post any final comments you
> >have on this draft to this list by that date.
>
> **Unnecessary specification of UDP**
>
> In a few sentences in the document, UDP is mentioned as if it is the
> specific protocol being discussed, but TCP could be equivalently
> substituted in its place. These sentences should be made
> protocol-agnostic if they really are protocol-agnostic, which I think
> the following are. (Of course, there are still many UDP-specific
> sections in the document!)
>
> 4.1, first sentence, delete "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 4.3, first sentence, remove "UDP" because the timers are very
> unlikely to be different than TCP timers.
>
> 5.1, first sentence, remove "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 7, first sentence, remove "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 9, first sentence, remove "UDP" because the same would be true for
> "TCP" and possibly other protocols.
>
> 11, first two sentences, remove "UDP" because the same would be true
> for "TCP" and possibly other protocols.
>
>
> **Editorial**
>
> 1, fourth paragraph, remove "the" and change "off" to "of":
> "...control off middle boxes..."
>
> 1, last paragraph, RTP and other UDP-based protocols are said to run
> on top of UDP, so change "below" to "above".
>
> 4.2.3, first paragraph, "glare" should be "glaring".
>
> 5.1, second bullet, replace "...packets to Y..." with "packets to
> Y:any ..." to make it parallel with the other usage in the section.
>
> 7, last paragraph, after "methods" add "or protocols that try to be
> NAT-aware" to make it more general.
>
> 9, section title should be "ICMP Destination Unreachable Behavior"
> because that is the only type of ICMP behavior being discussed in the
> section.
>
> 10, section title should be "Fragmentation of Outgoing Packets" to
> emphasize that the entire section is about packets flowing in one
> direction.
>
> 10.1, end of first paragraph, add ", or other reasons" because there
> are many reasons why the MTU is set higher on the NAT.
>
> 10.1, third and fourth paragraph, "should" needs to be capitalized.
>
> 10.2, end of first paragraph, add "as specified in" before "RFC 1812".
>
> 11, first sentence, change "first or last" to "in any fragment"
> because there may be more than two fragments for the packet.
>
> 13, last paragraph, add "if done incorrectly" after "...a DoS
> opportunity" because many stacks correctly buffer fragments in a
> manner that doesn't make them susceptible.
>
>
> --Paul Hoffman, Director
> --Cybersecurity Association
> _______________________________________________
> Ietf-behave mailing list
> Ietf-behave <at> list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/ietf-behave
>
> 

<div>
<div dir="ltr" align="left"><span class="942490718-09052005">A lot of text in this 
document is generic to both TCP and UDP but the applicability 
states</span></div>
<div dir="ltr" align="left">
<span class="942490718-09052005"></span>&nbsp;</div>
<div dir="ltr" align="left"><span class="942490718-09052005">"This document only 
covers the UDP Unicast aspects of NAT traversal&nbsp;and does not cover TCP, 
IPSEC, or other protocols.&nbsp; Since the&nbsp;document is for UDP only, packet 
inspection below the UDP layer&nbsp;(including RTP) is also out-of-scope."</span></div>
<div>&nbsp;</div>
<div><span class="942490718-09052005">We felt this while writing the TCP behavior 
draft where we had to refer to the UDP draft for generic issues.&nbsp; The 
common requirements should be addressed in a seperate document, that will make 
both the TCP and UDP requirements concise and should not be interleaved in this 
UDP requirements draft.</span></div>
<div>
<span class="942490718-09052005"></span>&nbsp;</div>
<div><span class="942490718-09052005">Senthil</span></div>
<div><br></div>
<div class="OutlookMessageHeader" lang="en-us" dir="ltr" align="left">
From: ietf-behave-bounces <at> list.sipfoundry.org 
[mailto:ietf-behave-bounces <at> list.sipfoundry.org] On Behalf Of Francois 
Audet<br>Sent: Monday, May 09, 2005 11:02 AM<br>To: 'Paul 
Hoffman'; 'Jiri Kuthan'; 'Ietf-behave <at> list.sipfoundry.org'<br>Subject: 
RE: [Ietf-behave] WG last call: 
draft-ietf-behave-nat-udp-01.txt<br><br>
</div>
<div></div>
<p>Hi Paul, </p>
<p>Thank you for your careful reading of the document. </p>
<p>I agree with all your comments and will make the changes 
accordingly <br>unless there is opposition on the 
list. </p>
<p>Cheers. </p>
<p>&gt; -----Original Message----- <br>&gt; 
From: ietf-behave-bounces <at> list.sipfoundry.org <br>&gt; [<a href="mailto:ietf-behave-bounces <at> list.sipfoundry.org">mailto:ietf-behave-bounces <at> list.sipfoundry.org</a>] 
On Behalf Of <br>&gt; Paul Hoffman <br>&gt; Sent: Monday, May 09, 2005 10:11 <br>&gt; To: 
Jiri Kuthan; Ietf-behave <at> list.sipfoundry.org <br>&gt; 
Subject: Re: [Ietf-behave] WG last call: <br>&gt; 
draft-ietf-behave-nat-udp-01.txt <br>&gt; <br>&gt; <br>&gt; At 2:10 AM +0200 4/26/05, Jiri Kuthan 
wrote: <br>&gt; &gt;This is a BEHAVE Working Group Last Call 
for comments <br>&gt; &gt;on draft-ietf-behave-nat-udp-01. 
This last call closes <br>&gt; &gt;Tuesday May 12, 2005. 
Please post any final comments you <br>&gt; &gt;have on this 
draft to this list by that date. <br>&gt; <br>&gt; **Unnecessary specification of UDP** <br>&gt; 
<br>&gt; In a few sentences in the document, UDP is 
mentioned as if it is the <br>&gt; specific protocol being 
discussed, but TCP could be equivalently <br>&gt; 
substituted in its place. These sentences should be made <br>&gt; protocol-agnostic if they really are protocol-agnostic, which I 
think <br>&gt; the following are. (Of course, there are 
still many UDP-specific <br>&gt; sections in the 
document!) <br>&gt; <br>&gt; 4.1, first 
sentence, delete "UDP" because the same would be true for <br>&gt; "TCP" and possibly other protocols. <br>&gt; 
<br>&gt; 4.3, first sentence, remove "UDP" because the 
timers are very <br>&gt; unlikely to be different than TCP 
timers. <br>&gt; <br>&gt; 5.1, first 
sentence, remove "UDP" because the same would be true for <br>&gt; "TCP" and possibly other protocols. <br>&gt; 
<br>&gt; 7, first sentence, remove "UDP" because the same 
would be true for <br>&gt; "TCP" and possibly other 
protocols. <br>&gt; <br>&gt; 9, first 
sentence, remove "UDP" because the same would be true for <br>&gt; "TCP" and possibly other protocols. <br>&gt; 
<br>&gt; 11, first two sentences, remove "UDP" because the 
same would be true <br>&gt; for "TCP" and possibly other 
protocols. <br>&gt; <br>&gt; 
<br>&gt; **Editorial** <br>&gt; 
<br>&gt; 1, fourth paragraph, remove "the" and change "off" 
to "of": <br>&gt; "...control off middle boxes..." 
<br>&gt; <br>&gt; 1, last paragraph, RTP and 
other UDP-based protocols are said to run <br>&gt; on top of 
UDP, so change "below" to "above". <br>&gt; <br>&gt; 4.2.3, first paragraph, "glare" should be "glaring". 
<br>&gt; <br>&gt; 5.1, second bullet, replace 
"...packets to Y..." with "packets to <br>&gt; Y:any ..." to 
make it parallel with the other usage in the section. <br>&gt; <br>&gt; 7, last paragraph, after "methods" add 
"or protocols that try to be <br>&gt; NAT-aware" to make it 
more general. <br>&gt; <br>&gt; 9, 
section title should be "ICMP Destination Unreachable Behavior" <br>&gt; because that is the only type of ICMP behavior being discussed in 
the <br>&gt; section. <br>&gt; 
<br>&gt; 10, section title should be "Fragmentation of 
Outgoing Packets" to <br>&gt; emphasize that the entire 
section is about packets flowing in one <br>&gt; 
direction. <br>&gt; <br>&gt; 10.1, end 
of first paragraph, add ", or other reasons" because there <br>&gt; are many reasons why the MTU is set higher on the NAT. 
<br>&gt; <br>&gt; 10.1, third and fourth 
paragraph, "should" needs to be capitalized. <br>&gt; 
<br>&gt; 10.2, end of first paragraph, add "as specified in" 
before "RFC 1812". <br>&gt; <br>&gt; 11, 
first sentence, change "first or last" to "in any fragment" <br>&gt; because there may be more than two fragments for the packet. 
<br>&gt; <br>&gt; 13, last paragraph, add "if 
done incorrectly" after "...a DoS <br>&gt; opportunity" 
because many stacks correctly buffer fragments in a <br>&gt; 
manner that doesn't make them susceptible. <br>&gt; 
<br>&gt; <br>&gt; --Paul Hoffman, 
Director <br>&gt; --Cybersecurity Association 
<br>&gt; 
_______________________________________________ <br>&gt; 
Ietf-behave mailing list <br>&gt; 
Ietf-behave <at> list.sipfoundry.org <br>&gt; <a href="https://list.sipfoundry.org/mailman/listinfo/ietf-behave" target="_blank">https://list.sipfoundry.org/mailman/listinfo/ietf-behave</a> 
<br>&gt; <br>&gt; </p>
</div>
Permalink | Reply | 1 comment |
headers
Francois Audet | 9 May 2005 20:57
Favicon

RE: WG last call: draft-ietf-behave-nat-udp-01.txt

> At 11:13 AM -0700 5/9/05, Senthil Sivakumar \(ssenthil\) wrote:
> >A lot of text in this document is generic to both TCP and UDP but
> >the applicability states
> >
> >"This document only covers the UDP Unicast aspects of NAT
> >traversal and does not cover TCP, IPSEC, or other protocols.
>
> There is no mismatch there. In the areas I pointed out, where it says
> "UDP" it actually covers any IP-based protocol. Thus, it is better to
> keep those parts generic.
>
> >   Since the document is for UDP only, packet inspection below the
> >UDP layer (including RTP) is also out-of-scope."
>
> There is no mismatch there either. I don't think that the current UDP
> requirements draft talks about UDP packet inspection except to say
> "don't do that".
>
> >We felt this while writing the TCP behavior draft where we had to
> >refer to the UDP draft for generic issues.
>
> Right.
>
> >   The common requirements should be addressed in a seperate
> >document, that will make both the TCP and UDP requirements concise
> >and should not be interleaved in this UDP requirements draft.
>
> That's one option. Another is to make the two drafts parallel,
> pointing out where they differ due to specific differences between
> UDP and TCP.

Agree. That decision (to have two parrallel drafts) was already made. 

<div>

<p>&gt; At 11:13 AM -0700 5/9/05, Senthil Sivakumar \(ssenthil\) wrote:
<br>&gt; &gt;A lot of text in this document is generic to both TCP and UDP but
<br>&gt; &gt;the applicability states
<br>&gt; &gt;
<br>&gt; &gt;"This document only covers the UDP Unicast aspects of NAT
<br>&gt; &gt;traversal and does not cover TCP, IPSEC, or other protocols.
<br>&gt; 
<br>&gt; There is no mismatch there. In the areas I pointed out, where it says 
<br>&gt; "UDP" it actually covers any IP-based protocol. Thus, it is better to 
<br>&gt; keep those parts generic.
<br>&gt; 
<br>&gt; &gt;&nbsp;&nbsp; Since the document is for UDP only, packet inspection below the
<br>&gt; &gt;UDP layer (including RTP) is also out-of-scope."
<br>&gt; 
<br>&gt; There is no mismatch there either. I don't think that the current UDP 
<br>&gt; requirements draft talks about UDP packet inspection except to say 
<br>&gt; "don't do that".
<br>&gt; 
<br>&gt; &gt;We felt this while writing the TCP behavior draft where we had to
<br>&gt; &gt;refer to the UDP draft for generic issues.
<br>&gt; 
<br>&gt; Right.
<br>&gt; 
<br>&gt; &gt;&nbsp;&nbsp; The common requirements should be addressed in a seperate
<br>&gt; &gt;document, that will make both the TCP and UDP requirements concise 
<br>&gt; &gt;and should not be interleaved in this UDP requirements draft.
<br>&gt; 
<br>&gt; That's one option. Another is to make the two drafts parallel, 
<br>&gt; pointing out where they differ due to specific differences between 
<br>&gt; UDP and TCP.
</p>

<p>Agree. That decision (to have two parrallel drafts) was already made.
</p>

</div>
Permalink | Reply | 3 comments |
headers
Paul Hoffman | 9 May 2005 20:31

RE: WG last call: draft-ietf-behave-nat-udp-01.txt

At 11:13 AM -0700 5/9/05, Senthil Sivakumar \(ssenthil\) wrote:
>A lot of text in this document is generic to both TCP and UDP but 
>the applicability states
>
>"This document only covers the UDP Unicast aspects of NAT 
>traversal and does not cover TCP, IPSEC, or other protocols.

There is no mismatch there. In the areas I pointed out, where it says 
"UDP" it actually covers any IP-based protocol. Thus, it is better to 
keep those parts generic.

>   Since the document is for UDP only, packet inspection below the 
>UDP layer (including RTP) is also out-of-scope."

There is no mismatch there either. I don't think that the current UDP 
requirements draft talks about UDP packet inspection except to say 
"don't do that".

>We felt this while writing the TCP behavior draft where we had to 
>refer to the UDP draft for generic issues.

Right.

>   The common requirements should be addressed in a seperate 
>document, that will make both the TCP and UDP requirements concise 
>and should not be interleaved in this UDP requirements draft.

That's one option. Another is to make the two drafts parallel, 
pointing out where they differ due to specific differences between 
UDP and TCP.

--Paul Hoffman, Director
--Cybersecurity Association
Permalink | Reply | 0 comments |
headers
Senthil Sivakumar (ssenthil | 9 May 2005 21:03
Picon
Favicon

RE: WG last call: draft-ietf-behave-nat-udp-01.txt

Comments inline with [Senthil]

-----Original Message-----
From: ietf-behave-bounces <at> list.sipfoundry.org
[mailto:ietf-behave-bounces <at> list.sipfoundry.org] On Behalf Of Paul
Hoffman
Sent: Monday, May 09, 2005 11:32 AM
To: Ietf-behave <at> list.sipfoundry.org
Subject: RE: [Ietf-behave] WG last call:
draft-ietf-behave-nat-udp-01.txt

At 11:13 AM -0700 5/9/05, Senthil Sivakumar \(ssenthil\) wrote:
>A lot of text in this document is generic to both TCP and UDP but the 
>applicability states
>
>"This document only covers the UDP Unicast aspects of NAT traversal and

>does not cover TCP, IPSEC, or other protocols.

There is no mismatch there. In the areas I pointed out, where it says
"UDP" it actually covers any IP-based protocol. Thus, it is better to
keep those parts generic.

[Senthil] To me that is confusing. The text explicitly says no other
protocol is covered but it discusses generic aspects of any IP based
protocol? 

>   Since the document is for UDP only, packet inspection below the UDP 
>layer (including RTP) is also out-of-scope."

There is no mismatch there either. I don't think that the current UDP
requirements draft talks about UDP packet inspection except to say
"don't do that".

>We felt this while writing the TCP behavior draft where we had to refer

>to the UDP draft for generic issues.

Right.

>   The common requirements should be addressed in a seperate document, 
>that will make both the TCP and UDP requirements concise and should not

>be interleaved in this UDP requirements draft.

That's one option. Another is to make the two drafts parallel, pointing
out where they differ due to specific differences between UDP and TCP.

[Senthil] Discussing the specific differences of each of the specific
protocol is what these two drafts are all about. That is not the
problem, the problem is where should the commonlaties reside, in UDP
draft, in TCP draft, in both or in a separate draft. I think it should
reside in a separate draft.

Senthil

--Paul Hoffman, Director
--Cybersecurity Association
_______________________________________________
Ietf-behave mailing list
Ietf-behave <at> list.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/ietf-behave
Permalink | Reply | 0 comments |
headers
Paul Hoffman | 9 May 2005 23:52

Issues with draft-ietf-behave-rfc3489bis-01

Greetings again. In looking over the STUNbis draft, two issues popped up.

In section 8.1, it says:

       OPEN ISSUE: Experience has shown that the usage of a dynamic port
       for P2 has been problematic.  This is because firewall
       administrators have opened up port 3478 to permit STUN, but
       disallowed the dynamic port used by the server.  This causes the
       diagnostic techniques to fail.  This can be fixed through
       allocation of a second port number from IANA.  Does that belong in
       this specification or in the diagnostic specification? I think it
       has to go here.

Agree, it should go here, particularly because there doesn't appear 
to be a diagnostic spec (yet).

Later in 8.1, it says:

    If the RESPONSE-ADDRESS attribute was absent from the Binding
    Request, the destination address and port of the Binding Response
    MUST be the same as the source address and port of the Binding
    Request.  Otherwise, the destination address and port of the Binding
    Response MUST be the value of the IP address and port in the
    RESPONSE-ADDRESS attribute.

This means that a compliant STUN server MUST support sending STUN 
responses to someone who didn't ask for them; that's pretty bad from 
a DoS standpoint. The server should be allowed to ignore requests 
that have a RESPONSE-ADDRESS that differs from the source address of 
the Binding Request. Also, this really should be covered in the 
Security Considerations section.

--Paul Hoffman, Director
--Cybersecurity Association
Permalink | Reply | 0 comments |

Gmane