110 likes | 239 Views
NAT Behavioral Requirements for Unicast UDP. draft-ietf-behave-nat-udp-03 François Audet - audet@nortel.com Cullen Jennings - fluffy@cisco.com. Status. draft-ietf-behave-nat-udp-00 presented at IETF 62 Went through Working Group Last Call 3rd minor release since then (-01, 02, -03)
E N D
NAT Behavioral Requirements for Unicast UDP draft-ietf-behave-nat-udp-03 François Audet - audet@nortel.com Cullen Jennings - fluffy@cisco.com draft-ietf-behave-nat-udp-03
Status • draft-ietf-behave-nat-udp-00 presented at IETF 62 • Went through Working Group Last Call • 3rd minor release since then (-01, 02, -03) • Integrates all decisions made in IETF 62 and on mailing list since then • No major outstanding issue draft-ietf-behave-nat-udp-03
Summary of changes from -00 • Applicability Statement: • clarified that it applies to Traditional NAT (used to include Bi-directional and Twice-NAT) • Removed some verbiage about “large Enterprise NAT” • Terminology • Simplified name of behaviors, e.g., “External NAT mapping is endpoint address dependent” to “Address Dependent Mapping” draft-ietf-behave-nat-udp-03
Summary of changes from -00 • List Requirements in flow of text, with justification, as they naturally occur in document for ease of reading • Requirement summary section remains • Combined “Mapping Refresh Scope” and “Mapping Refresh Direction” section in new “Mapping Refresh” section draft-ietf-behave-nat-udp-03
Summary of changes from -00 • Removed completely section describing relationship between explicit behaviors described in this document and old broken “Cone/Symmetric” terminology • Editorial clarifications for ICMP and fragmentations sections draft-ietf-behave-nat-udp-03
Old REQ-3 It is RECOMMENDED that a NAT have a "Port assignment" behavior of "No port preservation". a) NAT MAY use a "Port assignment" behavior of "Port preservation". b) A NAT MUST NOT have a "Port assignment" behavior of "Port overloading". c) If the host's source port was in the range 1-1023, it is RECOMMENDED the NAT's source port also be in the same range. If the host's source port was in the range 1024-65535, it is RECOMMENDED that the NAT's source port also be in that range. New REQ-3 A NAT MUST NOT have a "Port assignment" behavior of "Port overloading". a) If the host's source port was in the range 1-1023, it is RECOMMENDED the NAT's source port be in the same range. If the host's source port was in the range 1024-65535, it is RECOMMENDED that the NAT's source port be in that range. Summary of changes from -00 draft-ietf-behave-nat-udp-03
Summary of changes from -00 • Deleted REQ-6b The NAT mapping Refresh Direction MUST have a "NAT refresh method behavior" of "Per mapping" (i.e. refresh all sessions active on a particular mapping). draft-ietf-behave-nat-udp-03
Old REQ-7 It is RECOMMENDED that a NAT have an "External filtering is endpoint address dependent" behavior. New REQ-7 If application transparency is most important, it is RECOMMENDED that a NAT have "Endpoint independent filtering" behavior. If a more stringent filtering behavior is most important, it is RECOMMENDED that a NAT have "Address dependent filtering" behavior. a) The filtering behavior MAY be an option configurable by theadministrator of the NAT. Summary of changes from -00 draft-ietf-behave-nat-udp-03
Old REQ-9 If a NAT includes ALGs, it is RECOMMENDED that all of those ALGs be disabled by default. a) If a NAT includes ALGs, it is RECOMMENDED that the NAT allow the user to enable or disable each ALG separately. New REQ-9 If a NAT includes ALGs, it is RECOMMENDED that all of those ALGs (except for DNS [19] and FTP [18]) be disabled by default. a) If a NAT includes ALGs, it is RECOMMENDED that the NAT allow the NAT administrator to enable or disable each ALG separately. Summary of changes from -00 draft-ietf-behave-nat-udp-03
Old REQ-11 It is RECOMMENDED that a NAT support ICMP Destination Unreachable. a) The ICMP timeout SHOULD be greater than 2 seconds. New REQ-11 Receipt of any sort of ICMP message MUST NOT destroy the NAT mapping. a) The NAT's default configuration SHOULD NOT filter ICMP messages based on their source IP address. b) It is RECOMMENDED that a NAT support ICMP Destination Unreachable messages. Summary of changes from -00 draft-ietf-behave-nat-udp-03
Open issues • One outstanding issue • REQ-7a: Should the “MAY” be a “SHOULD” • Let’s decide once and for all • I believe I forgot to remove completely section 5.2 as agreed. Objections to do so? • Next step? draft-ietf-behave-nat-udp-03