Title: NAT requirements for TCP (BEHAVE WG)
1NAT requirements for TCP(BEHAVE WG)
- draft-sivakumar-behave-nat-tcp-req-00.txt
S.Sivakumar, K.Biswas, B.Ford
2Scope
- Recommendations to NAT implementors as pertaining
to TCP session processing. - At the time of writing of this draft,
ltdraft-ford-behave-gen-00.txtgt was not available.
Recommendations that are not specific to TCP or
UDP will be moved to ltdraft-ford-behave-gen-00.txt
gt, pending WG consensus.
3Req 1 TCP State Machine(SM)
- TCP NAT Sessions MUST be stateful. NAT MUST use
light-weight TCP State Machine for managing
timers, seq/ack adjustments etc. - TCP NAT Sessions can be light-weight and must
carry three states at a minimum STARTUP,
ACTIVE, CLOSING. - A TCP NAT Session enters STARTUP state upon
seeing the first SYN for a TCP session. - A TCP NAT Session enters ACTIVE state upon
completing 3-way handshake. - A TCP NAT Session enters CLOSING state upon
seeing FIN or RST for the session.
4Req 2 - Address/Port Binding
- NAT MUST maintain Address Binding and/or TCP Port
Binding. Multiple TCP NAT Sessions could reuse
the same TCP Port Binding. - The filtering behavior of NAT for TCP sessions is
as dictated by the NAT type (traditional,
Bi-directional, Twice NAT types). - Port parity, Port-contiguity - Some suggestions
have been made to specifically mention about
port-parity, port-contiguity not being applicable
to TCP traffic. Needs discussion?
5Req 3 TCP SM Timeouts
- NAT MUST maintain timeouts for different states
of state machine in a TCP NAT Session.The
timeouts MUST be configurable. - NAT MUST maintain SYN Timer to protect against
SYN flood-attacks in STARTUP state. Suggested
timeout 30 to 60 secs. - NAT MUST maintain Session Timer to track
idle-time on active TCP sessions. Suggested
timeout 60 mins if no KeepAlive implemented and
120 minutes if KeepAlive implemented. - NAT MUST maintain Close Timer, to allow for
proper session termination, and to allow
re-opening a recently closed or reset TCP session
if desired. NAT can delete the TCP NAT session
Upon expiry of Close timer, or enter STARTUP
state and initiate SYN timer upon receipt of SYN.
Suggested timeout 2xMSL (Maximum Segment
Lifetime) to 60 seconds.
6Req 3 TCP Keep-alive
- Upon Session Timer expiry, NAT SHOULD enter a
"probe" state and send TCP keep-alive packets to
internal endpoint. - Upon receiving ACK or data traffic, NAT should
reset Session Timer and remain in ACTIVE state. - Upon receiving RST, NAT should forward the RST to
External Server, enter CLOSING state and start
Close Timer. - Upon not receiving any response after a few
retries, NAT should send RST to both parties,
enter CLOSING state and start Close Timer.
7Req 4 - Port Reservation
- NATs TCP Port space is shared by 2 functions
- (a) Routers local end-host functionality
- (b) Routers NAT functionality
- NAT MUST NOT use a single TCP port for both NATd
sessions and local application sessions at the
same time. - Recommendation NAT implementers SHOULD set
aside port-blocks for end-host functionality vs.
NAT functionality.
8Req 5 - IP Frags,TCP Segments
- IP Fragments Suggest moving this to
draft-ford-behave-gen-00.txt - TCP Segment processing - Recommended only when
ALGs are enabled on the same NAT device. Not
mandatory requirement. - NAT SHOULD support TCP Segments received out of
order. TCP Segment processing SHOULD be as
described in the draft. - NAT SHOULD enforce sequencing on the out-of-order
TCP segments such that NAT reassembles the TCP
segments prior to handing off to an ALG. - NAT SHOULD send TCP ACK to the endpoint (when a
segment is out of order) for obtaining subsequent
segments from the endpoint.
9Req 6 - Seq/Ack adjustment
- Recommendation for NAT only when ALGs are enabled
on the same device. Not mandatory requirement. - If NAT has ALG enabled, the ALG might cause
application-payload to increase/decrease in size.
The ALG will need to change seq/ack number in the
TCP header save this information along with the
delta of change in the TCP NAT Session, so as to
adjust subsequent TCP packets of the session. - If NAT has ALG enabled, the TCP NAT Sessions
SHOULD be extended to include seq-delta,
ack-delta info in the TCP NAT Session.
10Req 7 - ICMP Err-Msg handling
- NAT SHOULD fix the embedded payload in the ICMP
Error messages. This is not specific to TCP.
Suggest moving this to draft-ford-behave-gen-00.tx
t.
11New Reqs (Not included yet)
- NAT must generate process PMTU msgs for TCP
packets - TCP packets often have DF(Donot Fragment) bit set
will require devices enroute to not fragment
TCP segments. If MTUs donot match, NAT MUST send
a destination unreachable ICMP message with
suggested MTU to the sender drop the TCP
packet. - NAT must also honor the ICMP destination
unreachable messages it receives from
intermediate nodes in either realm and forward to
appr. end-node
12Wrap-up
- Comments/Suggestions ?
- (We plan to summarize the requirements at the
end, and move the text common to both TCP UDP
to draft-ford-behave-gen-00.txt, based on WG
inputs ) - Accept as WG item ?
13Differences between 2 TCP submissions
- Both drafts (Sivakumar-draft
Modadugu-draft) are similar in content. So,
common Reqs are not listed. Below are the main
differences - TCP State Machine requirement
- sivakumar-draft states that NAT MUST maintain
a light-weight TCP state-machine. -
- modadugu-draft doesnot mandate this.
14Differences between 2 TCP submissions
- Port reservation requirement
- sivakumar-draft recommends that NAT SHOULD
set aside ports for local TCP applications
running on the box and avoid port-number
conflicts. -
- modadugu-draft does not provide a
recommendation. - TCP Timers requirement
- sivakumar-draft recommends that NAT MUST
maintain SYN, Session Close timers - modadugu-draft discusses timers, but does
not list them as a requirement.
15Differences between 2 TCP submissions
- TCP KeepAlive requirement
- sivakumar-draft recommends this as a SHOULD,
without making this a mandatory requirement - modadugu-draft does not offer a
recommendation (author believes this is not
needed). - TCP Segments handling requirement
- sivakumar-draft recommends this as a SHOULD
only when ALG enabled on the NAT. - modadugu-draft does not offer a
recommendation (Author believes this is not
needed)
16Differences between 2 TCP submissions
- Allow Incoming SYN requirement
- sivakumar-draft does not offer an explicit
recommendation on this. - modadugu-draft recommends that NAT MUST allow
incoming SYN while a Nat Session is alive (ex in
CLOSING state) - Paired Source-IP address pooling behavior
requirement - sivakumar-draft does not offer a
recommendation on this. - (draft-ford-behave-gen-00.txt covers this)
- modadugu-draft recommends that a NAT SHOULD
support IP address pooling behavior of Paired,
if NAT supports IP address pooling.
17Differences between 2 TCP submissions
- Finally, some stylistic differences
- Sivakumar-draft lists the requirements as you
go along. Summary requirements intended to be
listed at the end. -
- Modadugu-draft lists the requirments first
similar to behave-udp draft, followed by
discussion on the requirements.