[Search] [txt|pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 rfc3424                                              
Network Working Group                                          L. Daigle
Internet-Draft                                                    Editor
Expires: August 5, 2002                      Internet Architecture Board
                                                                     IAB
                                                        February 4, 2002


     IAB Considerations for UNilateral Self-Address Fixing (UNSAF)
                 draft-iab-unsaf-considerations-01.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 5, 2002.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   With current NA[P]T middleboxes, individual networks using different
   address realms are bridged.  However, as a side effect of address
   translation, communicating endpoints on either side of the middlebox
   do not know how to refer to themselves using addresses that are
   applicable in the other realm -- the address translation is locked
   within the middlebox.  Various proposals have been made for
   "UNilateral Self-Address Fixing (UNSAF)" processes.  These are
   processes whereby some originating process attempts to determine  or
   fix the address (and port) by which it is known to another process --
   e.g., to be able to use address data in the protocol exchange, or to



Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 1]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


   advertise a public address from which it will receive connections.

   This document outlines the reasons for which these proposals can be
   considered at best as short term fixes to specific problems, and the
   specific issues to be carefully evaluated before creating an UNSAF
   proposal.

1. Introduction

   With current NA[P]T middleboxes, individual networks using different
   address realms are bridged.  However, as a side effect of address
   translation, communicating endpoints on either side of the middlebox
   do not know how to refer to themselves using addresses that are
   applicable in the other realm -- the address translation is locked
   within the middlebox.  For some purposes, endpoints need to know the
   addresses (and/or ports) by which they are known to their peers.
   There are two cases.  When the client initiates communication,
   starting the communication has the side effect of creating an address
   binding in the NA[P]T device and allocating an address in the realm
   that is external to the NA[P]T box.  In the second case, a server
   will be accepting connections from outside, but because it does not
   initiate communication, no NAT binding is created.  In such cases, a
   mechanism is needed to fix such a binding, before communication can
   take place.

   "UNilateral Self-Address Fixing (UNSAF)" is a process whereby some
   originating process attempts to determine  or fix the address (and
   port) by which it is known -- e.g., to be able to use address data in
   the protocol exchange, or to advertise a public address from which it
   will receive connections.

   There are only heuristics and workarounds to attempt to achieve this
   effect; there is no 100% solution.  Since NA[P]Ts may also
   dynamically reclaim or readjust translations, "keep-alive" and
   periodic re-polling may be required.  Use of these workarounds MUST
   be considered transitional in IETF protocols; a better architectural
   solution is being sought.  The explicit intention is to deprecate any
   such workarounds when sound technical approaches are available.

2. Architectural issues affecting UNSAF Systems

   Any users of these workarounds should be aware that specific
   technical issues that impede the creation of a general solution
   include:

   o  there *is* no unique "outside" to a NAT -- it may be impossible to
      tell where the target UNSAF partner is with respect to the source;
      how does a client find an appropriate server to reflect its



Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 2]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


      address?  (See Appendix C).

   o  specifically because it is impossible to tell where "outside" or
      "public" is, an address can only be determined relative to one
      specific point in the network.  If the UNSAF partner that
      reflected a client's address is in a different NAT-masked subnet
      from some other service X that the client wishes to use, there is
      _no_ guarantee that the client's "perceived" address from the
      UNSAF partner would be the same as the address viewed from the
      perspective of X.  (See Appendix C).

   o  absent "middlebox communication (midcom)" there is no usable way
      to let incoming communications make their way through a firewall
      under proper supervision:  that is, respecting the firewall
      policies and as opposed to circumventing security mechanisms.  The
      danger is that internal machines are unwittingly exposed to all
      the malicious communications from the external side that the
      firewall is intended to block.  This is particularly unacceptable
      if the UNSAF process is running on one machine which is acting on
      behalf of several.

   o  proposed workarounds include the use of "ping"-like packets as
      traffic to the target service in order to determine the source
      address from the perspective of the target.  However, there is no
      guarantee that the address translation will be constant throughout
      the course of the communication between endpoints; aging of NAT
      UDP bindings varies widely.

   o  if periodic retries are used to refresh/reevaluate the address
      translation state, both endpoints are required to maintain
      information about the presumed state of the communication in order
      to manage the address illusion.

   o  since the recipient of the "ping"-like packet (the target endpoint
      of the communication, or some generic reflecting service that is
      participating in the address determination) is not integrated with
      the middlebox, it can only operate on the assumption that past
      behavior is a predictor of future behavior.  It has no special
      knowledge of the address translation heuristic or affecting
      factors.

   o  the communication exchange is made more "brittle" by the
      introduction of other servers (UNSAF partners) that need to be
      reachable in order for the communication to succeed -- more boxes
      that are "fate sharing" in the communication.

   Work-arounds may mitigate some of these problems through tight
   scoping of applicability and specific fixes.  For example,



Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 3]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


   o  rather than finding the address from "the" outside of the NAT, the
      applicability of the approach may be limited to finding the "self-
      address" from a specific service, for use exclusively with that
      service;

   o  limiting the scope to outbound requests for service (or service
      initiation) in order to prevent unacceptable security exposures.


3. Practical Issues

   From observations of deployed networks, there is a wide variety of
   practice in how different NA[P]T boxes implement the handling of
   different traffic and addressing cases.

   Some of the specific types of observed behaviors have included:

   o  NA[P]Ts may drop fragments in either direction:  without complete
      TCP/UDP headers, the NA[P]T may not make the address translation
      mapping, simply dropping the packet.

   o  Shipping NA[P]Ts often contain Application Layer Gateways (ALGs),
      which attempt to be context-sensitive, performing different
      actions depending on the application of the data stream.  The
      behavior of the ALGs can be hard to anticipate, and these
      behaviors have not always been documented.

   o  NA[P]Ts differ markedly in their handling of UDP packets.  Quite a
      few only really work reliably with TCP.  If they do handle UDP,
      the timers aging out flows can vary widely.

   o  Variation in address and port assignments can be quite frequent --
      on NAPTs, port numbers always change, and change unpredictably;
      there may be multiple NATs in parallel for load-sharing, making IP
      address variations quite likely as well.


4. Architectural Considerations

   By distinguishing these approaches as short term fixes, the IAB
   believes the following considerations must be explicitly addressed in
   any proposal:

   1.  Precise definition of a specific, limited-scope problem that is
       to be solved with the UNSAF proposal.   A short term fix should
       not be generalized to solve other problems; this is why  "short
       term fixes usually aren't".




Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 4]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


   2.  Description of an exit strategy/transition plan.  The better
       short term fixes are the ones that will naturally see less and
       less use as the appropriate technology is deployed.

   3.  Discussion of specific issues that may render systems more
       "brittle".  For example, approaches that involve using data at
       multiple network layers create more dependencies, increase
       debugging challenges, and make it harder to transition.

   4.  Identify requirements for longer term, sound technical solutions
       -- contribute to the process of finding the right longer term
       solution.

   5.  Discussion of the impact of the noted practical issues with
       existing, deployed NA[P]Ts and experience reports.


5. Security Considerations

   As a general class of workarounds, as noted above UNSAF proposals may
   introduce security holes because, absent "middlebox communication
   (midcom)", there is no usable way to let incoming communications make
   their way through a firewall under proper supervision:  respecting
   the firewall policies as opposed to circumventing security
   mechanisms.


Authors' Addresses

   Leslie Daigle
   Editor


   Internet Architecture Board
   IAB

   EMail: iab@iab.org

Appendix A. IAB Members at the time of this writing

      Harald Alvestrand

      Ran Atkinson

      Rob Austein

      Fred Baker




Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 5]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


      Brian Carpenter

      Steve Bellovin

      Jon Crowcroft

      Leslie Daigle

      Steve Deering

      Sally Floyd

      Geoff Huston

      John Klensin

      Henning Schulzrinne


Appendix B. Acknowledgements

   This revision of the document has benefitted greatly from detailed
   comments and suggestions from Thomas Narten and Bernard Aboba.

Appendix C. Example NA[P]T Configuration Scenario

   Here is one sample scenario wherein it is difficult to describe a
   single "outside" to a given address realm (bridged by NAPTs).  This
   sort of configuration might arise in an enterprise environment, where
   different divisions have their own subnets (each using the same
   private address space); the divisions are connected so that they can
   pass traffic on each others' networks, but to access the global
   Internet, each uses a different NAPT/firewall.


















Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 6]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


                                    +---------+
                                    | Box C   | (192.168.4.5)
                                    +---+-----+
                                        |
       ---------------------------------+-------
                                        |
                                        | 192.168.3.0/24
                                   +----+----+
                                   | NAT 2   |
                                   +----+----+
                                        | 10.1.0.0/32
                                        |
         -----+-------------------------+------------+----
              |                                      |
              |                                 +----+----+
              |                                 | Box B   | (10.1.1.100)
              |                                 +---------+
              |
         +----+----+
         | NAPT 1  | (10.1.2.27)
         +----+----+
              | 10.1.0.0/32
              |
          ----+-----+--
                    |
                    |
               +----+----+
               | Box A   | (10.1.1.100)
               +---------+

   From the perspective of Box B, Box A's address is (some port on)
   10.1.2.27.  From the perspective of Box C, however, Box A's address
   is some address in the space 192.168.3.0/24.


















Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 7]


Internet-Draft      draft-iab-unsaf-considerations-01      February 2002


Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Daigle & Internet Architecture Board    Expires August 5, 2002    [Page 8]