FW: Re: draft-ietf-behave-nat-udp-01, REQ-7
2005-08-01 13:29:29 GMT
Sent: Sunday, July 31, 2005 12:31 PM
To: 'Francois Audet'
Subject: RE: [Ietf-behave] Re: draft-ietf-behave-nat-udp-01, REQ-7
Sent: Wednesday, June 22, 2005 2:03 AM
To: 'Cullen Jennings'
Subject: RE: [Ietf-behave] Re: draft-ietf-behave-nat-udp-01, REQ-7
Cullen,
We are waiting for you to tell us what you really meant:
"SHOULD" or "MAY"
in 7a.
Please say so on the list so we can put this issue to rest...
To refresh your memory, I have:
REQ-7: If application transparency is most important, it
is
RECOMMENDED that a NAT have an "Endpoint independent filtering"
behavior. If a more stringent
filtering behavior is most
important, it is RECOMMENDED that a NAT
have an "Address
dependent filtering"
behavior.
a) The filtering
behavior MAY be an option configurable by the
administrator of the NAT.
Bryan is OK with 7, but wants to change the "MAY" to a "SHOULD"
in 7a, and
claims that you are OK with it.
As you know, I really don't give a &*(*#? at this point.
> -----Original Message-----
>
From: ietf-behave-bounces <at> list.sipfoundry.org
> [mailto:ietf-behave-bounces <at> list.sipfoundry.org]
On Behalf Of
> Bryan Ford
> Sent: Tuesday, June 21, 2005 12:22
> To:
Saikat Guha
> Cc: 'Behave'
> Subject: Re: [Ietf-behave] Re: draft-ietf-behave-nat-udp-01,
REQ-7
>
>
> On Tuesday 21 June 2005 19:07, Saikat Guha wrote:
> > On Tue, 2005-06-21 at 09:59 -0600, Bryan Ford wrote:
> > > On Thursday 09 June 2005 16:17, Francois Audet
wrote:
> > >
> a) The filtering behavior MAY be
an option
> configurable by
> > > > the
> > >
> > > I still feel strongly that the MAY should
be
> > > a SHOULD in the second. I don't
recall hearing any
> objections from
> > > Cullen or anyone else after my earlier suggestion that we
> keep the
> > >
SHOULD but change "user configurable" to "configurable by the
> > > administrator of the NAT".
>
>
> > I agree with Cullen (below) that changing
the MAY to should doesn't
> > change any
interoperability issues. Even if "user configurable" is
> > changed to "configurable by the administrator", all of Cullen's
> > objections still hold.
>
> In what way do they still hold?
As far as I can tell,
> Cullen's objections
> were primarily based on his comment that "In many
case[s] the
> administrator
> of the NAT is very different from the user of it" and
> therefore it was
>
unreasonable to expect a NAT's behavior to be
>
"user-configurable". That
> statement I agree
with. It is entirely reasonable, however,
> to
expect a
> NAT's behavior to be
"administrator-configurable". Every NAT
> on
the planet
> is already "administrator-configurable"
- even locked-down
> NATs supplied by
> ISPs, which are configured by the ISP's
administrator
> (perhaps before they
> are even shipped to the user). The problem was merely a
> minor semantic
>
confusion caused by the distinction between "user" and
> "administrator". I
> always meant
"administrator-configurable"; it just
> accidentally
came out
> "user-configurable" at some point because
I wasn't thinking
> carefully about
> that distinction at the time.
>
> > Changing it to SHOULD/RECOMMENDED in
REQ-7a
> > introduces a hidden recommendation that
a NAT SHOULD implement both
> > filtering
behaviors (so it can have an option configurable by the
> > admin) ... which is not what REQ-7 says. I support "MAY" in
REQ-7a.
>
> That hidden
recommendation that a NAT SHOULD implement both filtering
> behaviors is precisely the point. I feel that if a NAT
> implements EF=A
>
filtering (which is a problematic but reasonable security
> feature), then it
> SHOULD also provide a
way for the NAT's administrator to turn
> that
filtering
> feature off. Since an EF=A NAT
minus filtering effectively
> becomes an EF=I
> NAT, what we have is a NAT that is configurable for
either
> EF=I or EF=A.
> This will take an absurdly small amount of implementation
> effort by the NAT
>
implementor - every NAT on the planet has a zillion
>
configuration options
> already; this is just one
more, and all it does is turn off a
> particular
> security feature that sometimes gets in the way of
> application connectivity.
> Can you explain why it is unreasonable or undesirable for NAT
> vendors to be
> expected
to provide this small but potentially important bit of
> configurability?
>
> Bryan
>
> >
On Wed, 2005-06-01 at 09:25 -0400, Cullen Jennings wrote:
> > > > a) The filtering behavior SHOULD be a user
configurable option.
> > >
> > > I could deal with this if we change to MAY but strongly
object to
> > > the SHOULD. There are going to
be devices where this is
> difficult.
> > > There are going to be devices that only
support one type. In many
> > > case the
administrator of the NAT is very different from
> the
user of
> > > it. There is no reason why the WG
should tell vendors how
> to build
> > > this. Having it as MAY or SHOULD does not change any
> > > interoperability issues between devices.
Any standards
> body should
> > > focus on things that it needs to specify to ensure
> interoperability.
> >
> Once vendors start down the slipper slope of not being fully
> > > compliant, pain and suffering will ensue
- I'd rather avoid that.
> > > It's about as
useful for the draft to say that all NAT
> user
manuals
> > > SHOULD be in gender neutral
language. It has no effect on
> > >
interoperability. I can not see any good come it and I
> can see harm
> > > caused by it
when key vendors that are not fully complaint start
>
> > justifying why it is not useful to be fully complaint
> with BEHAVE. I
> > > know it sounds
weird to care about this, but I would like
> to have
a
> > > chance of getting the largest vendor of
residential and corporate
> > > NATs to do this
and this is not going to help.
>
_______________________________________________
>
Ietf-behave mailing list
>
Ietf-behave <at> list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/ietf-behave
>
>
<div> <div dir="ltr" align="left"><span class="083034012-01082005">sorry accidentally replied instead of reply all on this one. </span></div> <br><div class="OutlookMessageHeader" lang="en-us" dir="ltr" align="left"> From: Cullen Jennings [mailto:fluffy <at> cisco.com] <br>Sent: Sunday, July 31, 2005 12:31 PM<br>To: 'Francois Audet'<br>Subject: RE: [Ietf-behave] Re: draft-ietf-behave-nat-udp-01, REQ-7<br><br> </div> <div></div> <div dir="ltr" align="left"><span class="170101220-30072005">I have no idea how Bryan can think I would be OK with that. But anyways, to clarify, I'm not.</span></div> <div dir="ltr" align="left"> <span class="170101220-30072005"></span> </div> <div dir="ltr" align="left"><span class="170101220-30072005">(obviosly not as chair)</span></div> <div dir="ltr" align="left"> <span class="170101220-30072005"></span> </div> <br><div class="OutlookMessageHeader" lang="en-us" dir="ltr" align="left"> From: Francois Audet [mailto:audet <at> nortel.com] <br>Sent: Wednesday, June 22, 2005 2:03 AM<br>To: 'Cullen Jennings'<br>Subject: RE: [Ietf-behave] Re: draft-ietf-behave-nat-udp-01, REQ-7<br><br> </div> <div></div> <p>Cullen, </p> <p>We are waiting for you to tell us what you really meant: "SHOULD" or "MAY" <br>in 7a. </p> <p>Please say so on the list so we can put this issue to rest... </p> <p>To refresh your memory, I have: </p> <p> REQ-7: If application transparency is most important, it is <br> RECOMMENDED that a NAT have an "Endpoint independent filtering" <br> behavior. If a more stringent filtering behavior is most <br> important, it is RECOMMENDED that a NAT have an "Address <br> dependent filtering" behavior. </p> <p> a) The filtering behavior MAY be an option configurable by the <br> administrator of the NAT. </p> <p>Bryan is OK with 7, but wants to change the "MAY" to a "SHOULD" in 7a, and <br>claims that you are OK with it. </p> <p>As you know, I really don't give a &*(*#? at this point. </p> <p>> -----Original Message----- <br>> From: ietf-behave-bounces <at> list.sipfoundry.org <br>> [<a href="mailto:ietf-behave-bounces <at> list.sipfoundry.org">mailto:ietf-behave-bounces <at> list.sipfoundry.org</a>] On Behalf Of <br>> Bryan Ford <br>> Sent: Tuesday, June 21, 2005 12:22 <br>> To: Saikat Guha <br>> Cc: 'Behave' <br>> Subject: Re: [Ietf-behave] Re: draft-ietf-behave-nat-udp-01, REQ-7 <br>> <br>> <br>> On Tuesday 21 June 2005 19:07, Saikat Guha wrote: <br>> > On Tue, 2005-06-21 at 09:59 -0600, Bryan Ford wrote: <br>> > > On Thursday 09 June 2005 16:17, Francois Audet wrote: <br>> > > > a) The filtering behavior MAY be an option <br>> configurable by <br>> > > > the <br>> > > <br>> > > I still feel strongly that the MAY should be <br>> > > a SHOULD in the second. I don't recall hearing any <br>> objections from <br>> > > Cullen or anyone else after my earlier suggestion that we <br>> keep the <br>> > > SHOULD but change "user configurable" to "configurable by the <br>> > > administrator of the NAT". <br>> > <br>> > I agree with Cullen (below) that changing the MAY to should doesn't <br>> > change any interoperability issues. Even if "user configurable" is <br>> > changed to "configurable by the administrator", all of Cullen's <br>> > objections still hold. <br>> <br>> In what way do they still hold? As far as I can tell, <br>> Cullen's objections <br>> were primarily based on his comment that "In many case[s] the <br>> administrator <br>> of the NAT is very different from the user of it" and <br>> therefore it was <br>> unreasonable to expect a NAT's behavior to be <br>> "user-configurable". That <br>> statement I agree with. It is entirely reasonable, however, <br>> to expect a <br>> NAT's behavior to be "administrator-configurable". Every NAT <br>> on the planet <br>> is already "administrator-configurable" - even locked-down <br>> NATs supplied by <br>> ISPs, which are configured by the ISP's administrator <br>> (perhaps before they <br>> are even shipped to the user). The problem was merely a <br>> minor semantic <br>> confusion caused by the distinction between "user" and <br>> "administrator". I <br>> always meant "administrator-configurable"; it just <br>> accidentally came out <br>> "user-configurable" at some point because I wasn't thinking <br>> carefully about <br>> that distinction at the time. <br>> <br>> > Changing it to SHOULD/RECOMMENDED in REQ-7a <br>> > introduces a hidden recommendation that a NAT SHOULD implement both <br>> > filtering behaviors (so it can have an option configurable by the <br>> > admin) ... which is not what REQ-7 says. I support "MAY" in REQ-7a. <br>> <br>> That hidden recommendation that a NAT SHOULD implement both filtering <br>> behaviors is precisely the point. I feel that if a NAT <br>> implements EF=A <br>> filtering (which is a problematic but reasonable security <br>> feature), then it <br>> SHOULD also provide a way for the NAT's administrator to turn <br>> that filtering <br>> feature off. Since an EF=A NAT minus filtering effectively <br>> becomes an EF=I <br>> NAT, what we have is a NAT that is configurable for either <br>> EF=I or EF=A. <br>> This will take an absurdly small amount of implementation <br>> effort by the NAT <br>> implementor - every NAT on the planet has a zillion <br>> configuration options <br>> already; this is just one more, and all it does is turn off a <br>> particular <br>> security feature that sometimes gets in the way of <br>> application connectivity. <br>> Can you explain why it is unreasonable or undesirable for NAT <br>> vendors to be <br>> expected to provide this small but potentially important bit of <br>> configurability? <br>> <br>> Bryan <br>> <br>> > On Wed, 2005-06-01 at 09:25 -0400, Cullen Jennings wrote: <br>> > > > a) The filtering behavior SHOULD be a user configurable option. <br>> > > <br>> > > I could deal with this if we change to MAY but strongly object to <br>> > > the SHOULD. There are going to be devices where this is <br>> difficult. <br>> > > There are going to be devices that only support one type. In many <br>> > > case the administrator of the NAT is very different from <br>> the user of <br>> > > it. There is no reason why the WG should tell vendors how <br>> to build <br>> > > this. Having it as MAY or SHOULD does not change any <br>> > > interoperability issues between devices. Any standards <br>> body should <br>> > > focus on things that it needs to specify to ensure <br>> interoperability. <br>> > > Once vendors start down the slipper slope of not being fully <br>> > > compliant, pain and suffering will ensue - I'd rather avoid that. <br>> > > It's about as useful for the draft to say that all NAT <br>> user manuals <br>> > > SHOULD be in gender neutral language. It has no effect on <br>> > > interoperability. I can not see any good come it and I <br>> can see harm <br>> > > caused by it when key vendors that are not fully complaint start <br>> > > justifying why it is not useful to be fully complaint <br>> with BEHAVE. I <br>> > > know it sounds weird to care about this, but I would like <br>> to have a <br>> > > chance of getting the largest vendor of residential and corporate <br>> > > NATs to do this and this is not going to help. <br>> _______________________________________________ <br>> Ietf-behave mailing list <br>> Ietf-behave <at> list.sipfoundry.org <br>> <a href="https://list.sipfoundry.org/mailman/listinfo/ietf-behave" target="_blank">https://list.sipfoundry.org/mailman/listinfo/ietf-behave</a> <br>> <br>> </p> </div>
RSS Feed