NAT Behavioral Requirements for TCP - IETF

14 downloads 91 Views 66KB Size Report
MUST cancel this delayed ICMP if in that time it receives and translates an outbound SYN for the connection. If a NAT does not have resources to delay the ...
NAT Behavioral Requirements for TCP Saikat Guha, Kaushik Biswas, Bryan Ford, Paul Francis, Senthil Sivakumar, Pyda Srisuresh draft-ietf-behave-tcp-01

IETF 66

Guha et al.

draft-ietf-behave-tcp-01

Changes Since -00

Now a standalone document ◮ Much easier to read ◮ (Re)defines terminology shared with UDP ◮ References UDP only for IP requirements

Guha et al.

draft-ietf-behave-tcp-01

Handling Unsolicited SYN?

SYNs that . . . ◮ are inbound ◮ are NOT part of an in-progress TCP (S-O) ◮ are NOT allowed by filtering behavior ... basically the NAT cannot route

Guha et al.

draft-ietf-behave-tcp-01

Unsolicited SYN: Option 1

A

Silent Drop

N

M SYN

◮ ◮

Good for P2P Bad for erroneous SYNs ◮

◮ ◮ ◮

NATs do this today (92%) Current WG consensus Too rare a case? Is it a problem today?

Guha et al.

draft-ietf-behave-tcp-01

B

Unsolicited SYN: Option 1

A

Silent Drop

N

M SYN

◮ ◮

Good for P2P Bad for erroneous SYNs ◮

◮ ◮ ◮

SYN

NATs do this today (92%) Current WG consensus Too rare a case? Is it a problem today?

Guha et al.

Drop good for P2P

draft-ietf-behave-tcp-01

B

Unsolicited SYN: Option 1

A

Silent Drop

N

M SYN

◮ ◮

Good for P2P Bad for erroneous SYNs ◮

◮ ◮ ◮

SYN

SYN

NATs do this today (92%) Current WG consensus Too rare a case? Is it a problem today?

Guha et al.

SYN

Drop bad for err-SYN draft-ietf-behave-tcp-01

B

Unsolicited SYN: Option 2 ICMP Error ◮ ◮

Good for erroneous SYNs Good for P2P if . . . ◮



A

N

error doesn’t cause stack to aborta

Otherwise, bad for P2P

M SYN RST/ICMP SYN RST/ICMP SYN

May need a new ICMP soft-error code proviso old stacks ignore undefined ICMPs, make sure Gont’s TCPM draft (if it becomes a WG doc) retains this error as soft. a

Guha et al.

draft-ietf-behave-tcp-01

RST/ICMP

Error bad for P2P

B

Unsolicited SYN: Option 2 ICMP Error ◮ ◮

Good for erroneous SYNs Good for P2P if . . . ◮



A

N

error doesn’t cause stack to aborta

M SYN RST/ICMP

Otherwise, bad for P2P

May need a new ICMP soft-error code proviso old stacks ignore undefined ICMPs, make sure Gont’s TCPM draft (if it becomes a WG doc) retains this error as soft. a

Guha et al.

draft-ietf-behave-tcp-01

Error good for err-SYN

B

Unsolicited SYN: Option 3

A

Delayed Error

N

M SYN

◮ ◮



Not bad for P2P Not bad for erroneous SYN Decide delay timeout ◮ ◮

SYN

6s too low for P2P? 6s too high for err-SYN?

RST/ICMP

Delay not bad for P2P Guha et al.

draft-ietf-behave-tcp-01

B

Unsolicited SYN: Option 3

A

Delayed Error

N

M SYN

◮ ◮



Not bad for P2P Not bad for erroneous SYN Decide delay timeout ◮ ◮

6s too low for P2P? 6s too high for err-SYN?

RST/ICMP

Delay not bad for err-SYN Guha et al.

draft-ietf-behave-tcp-01

B

Unsolicited SYN

Opt. 1: Silently drop SYN (old WG consensus) ◮

What does TCPM think?

Opt. 2: Send ICMP, standardize new ICMP code ◮

Is this an option?

Opt. 3: Delay sending ICMP error ◮

1

Is 6s acceptable?1

Variant allows for flexible timeouts if we can’t decide on one Guha et al.

draft-ietf-behave-tcp-01

Unsolicited SYN: Option 4 Delayed Error 2 ◮ ◮

◮ ◮

A

SYN

Not bad for P2P Not bad for erroneous SYN Flexible timeouts Assumptions: ◮

SYN

for P2P MUST do STUNT lookup first

Guha et al.

S

N

Delay2 RST/ICMP not bad for P2P draft-ietf-behave-tcp-01

M

B

Unsolicited SYN: Option 4 Delayed Error 2 ◮ ◮

◮ ◮

A

N SYN

Not bad for P2P Not bad for erroneous SYN Flexible timeouts Assumptions: ◮

RST/ICMP

for P2P MUST do STUNT lookup first

Guha et al.

M

Delay2 not bad for err-SYN draft-ietf-behave-tcp-01

B

Open Issue: Port-range and ICMP Port-Range Preservation Does TCP need source port-range to be preserved (