BEHAVE minutes, IETF87, Berlin, July 29, 2013, 1300-1500, room: Charlottenburg 1
Chairs: Dave Thaler, dthaler@microsoft.com, Dan Wing, dwing@cisco.com          
minutes by Stuart Cheshire and Philip Matthews
audio: http://www.ietf.org/audio/ietf87/ietf87-charlottenburg1-20130729-1300-pm.mp3
Jabber archive: http://www.ietf.org/jabber/logs/behave/2013-07-29.html


Chairs presented agenda, milestones, and document status

13:05  NAT logging: IPFIX and SYSLOG                         (Cathy Zhou, 20)
      draft-ietf-behave-ipfix-nat-logging
      draft-ietf-behave-syslog-nat-logging
      Goal:  discuss open issues

Question: How to represent pre-NAT addresses?

Simon Perreault: Could we use the concept of "realms"?

Dave Thaler: There are two questions. One is how to *represent* IPv4
and IPv6 addresses. I.e. string, binary format, etc. Other question is
how to identify to which realm an address belongs, if the address is
not globally unique.

Question: Do we need "device type" field?

Dave Thaler: Do these need to be registered through IANA, or is it
just free-form text? I see no need to standardize it.

Dan Wing: I support it being free-form comment text. Just don't call
it "device type".

Simon Perreault: I agree with it being free-form text.

Question: Should we log events like high-water-mark values?

Simon Perreault: Yes

Dave Thaler: This document and the NAT MIB should be made consistent.
This document should be a superset of logging items specified
elsewhere.

Question: Quotas?

Dave Thaler: Proposal only require per-user quotas, not global quotas

Simon Perreault: Quota types are a bad idea.  Just need to log when
quota is exceeded, and event that caused it.

Question: How to represent port ranges?

Simon Perreault: It should be done the IPFIX way.  We need a compact
way to represent complex ranges.

Dave Thaler: It's okay for the syslog form to be less compact.  Could
log event as multiple event if necessary.

Dan Wing: I favor having a single encoding, not two.

Question: Do we need "Invalid port" event?

Dave Thaler: Maybe this could be a counter?


13:35  NAT Requirements Update                          (Simon Perreault, 15)
      draft-ietf-behave-requirements-update
      Goal:  discuss open issues

Shin Miyakawa: Okay to make assumptions for destination port 53, but
not 80.

Dave Thaler: Not okay to make assumptions for *any* destination port.

Eric Rescorla: Do NATs really use low-numbered ports like 53 for
external addresses?

Eric Rescorla: Is there really value in special-casing destination
port 53?  Don't ISPs run their own recursive DNS servers?

Simon Perreault: 7.5% of users uses Google DNS instead of the ISPs
DNS.

Philip Matthews: Is this a real problem? I have not heard customers
request this.

Tirumaleswar Konda: This might affect MPTCP.


13:55  The New NAT MIB                                  (Simon Perreault, 10)
      draft-ietf-behave-nat-mib
      Goal:  determine if need new MIB or update RFC4008

Question: Should we declare RFC4008 historic, or revise it?

Mild preference for revising it.


14:00  Problems with STUN Authentication for TURN            (Tiru Reddy, 10)
      draft-reddy-behave-turn-auth
      Goal:  determine if this is a common problem

Eric Rescorla: Problems with longevity of secrets are inherent in any
use of username/password.

Martin Thomson: TURN server doesn't need to store password; just
digets of the password

Dave Thaler: Isn't there a TURN-TLS protocol?

Eric Rescorla: Yes.

Tiru Reddy: Is this an interesting problem to solve?

Eric Rescorla: These are interesting problems to solve, but don't
require changing TURN to solve them.

Simon Perreault: Lack of support for multiple realms is the biggest
problem.


14:10  A REST API For Access To TURN Services             (Justin Uberti, 10)
      http://tools.ietf.org/html/draft-uberti-behave-turn-rest
      Goal:  determine if in charter for BEHAVE, RTCWEB, or both

Simon Perreault: How does the TURN server know this mechanism is being
used?

Justin Uberti: It is configured that way

Philip Matthews: It would be good to have a problem statement of
exactly what new requirements need to be addressed

Martin Thomson: I don't think you're solving the right problem.
You're defining the wrong part of the protocol.  Can just do this
using JavaScript, so it doesn't need to be standardized.


14:25  Carrier Grade NAT Deployment Considerations     (Kaname Nishizuka, 10)
      draft-nishizuka-cgn-deployment-considerations
      Goal:  determine if this is a common problem

Gang Chen: This is similar to work in SUNSET4.


14:33  Accessing IPv6 content for IPv4-only clients     (Branimir Rajtar, 10)
      draft-rfvlb-behave-v6-content-for-v4-clients
      Goal:  determine if this is a common problem

Dapeng Liu: This topic was discussed in BEHAVE three years ago.

Dave Thaler: This has many of the same limitations as NAT-PT.  Just use an
HTTP proxy instead to avoid the limitations.

Ian Farrer: We did some forensic work, and three years ago no one had this
problem. Now things have changed, which is why we want to re-invigorate
this work.

Lorenzo Colitti: Is this for general use on the public Internet?

Branimir Rajtar: For the public Internet.

Lorenzo Colitti: Then I don't see how it's useful because no one can safely
deploy an IPv6-only web site until after this solution is universally deployed.


14:40  IPv4-only users accessing IPv6-only content        (Chongfeng Xie, 10)
     draft-sun-behave-v4tov6
     Goal:  determine if this is a common problem

Philip Matthews: There was a similar proposal at RIPE meeting a year ago,
https://ripe64.ripe.net/presentations/67-20120417-RIPE64-The_Case_for_IPv6_Only_Data_Centres.pdf

Lorenzo Colitti: Approach 1, why not just use an HTTP proxy?  Approach
2 uses just as many IPv4 addresses.  Doesn't work well for SSL because SSL
needs different IP address for each host.

Tiru Reddy: Is there a problem with CDN.  Answer: use approach 2.

Dave Thaler: I agree with Lorenzo. This could be done with an HTTP proxy.
Many other things could be done with a TCP proxy.


14:53  Radius Attributes for Stateful NAT64                   (Gang Chen, 10)
     draft-chen-behave-nat64-radius-extension
     Goal:  determine if this is a common problem

Chairs asked if WG saw this as a common problem.

Tiru Reddy:  I posted some comments to the mailing list on deployment
scenarios, and security considerations does not explain if geolocation server
is in different administrative domain.

Gang: will update draft based on comments


14:59  Network Address Port Group Translator                   (Wei Meng, 10)
     draft-meng-behave-napgt
     Goal: determine if this is a common problem

Presented by Wei Meng.

No time for comments.


15:02  END