draft-ietf-tsvwg-behave-requirements-update-07.txt   draft-ietf-tsvwg-behave-requirements-update-08.txt 
TSVWG R. Penno TSVWG R. Penno
Internet-Draft Cisco Internet-Draft Cisco
Updates: 4787, 5382, 5508 (if approved) S. Perreault Updates: 4787, 5382, 5508 (if approved) S. Perreault
Intended status: Best Current Practice Jive Communications Intended status: Best Current Practice Jive Communications
Expires: August 19, 2016 M. Boucadair, Ed. Expires: September 3, 2016 M. Boucadair, Ed.
Orange Orange
S. Sivakumar S. Sivakumar
Cisco Cisco
K. Naito K. Naito
NTT NTT
February 16, 2016 March 2, 2016
Network Address Translation (NAT) Behavioral Requirements Updates Network Address Translation (NAT) Behavioral Requirements Updates
draft-ietf-tsvwg-behave-requirements-update-07 draft-ietf-tsvwg-behave-requirements-update-08
Abstract Abstract
This document clarifies and updates several requirements of RFC4787, This document clarifies and updates several requirements of RFC4787,
RFC5382, and RFC5508 based on operational and development experience. RFC5382, and RFC5508 based on operational and development experience.
The focus of this document is NAT44. The focus of this document is NAT44.
This document updates RFCs 4787, 5382, and 5508. This document updates RFCs 4787, 5382, and 5508.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 19, 2016. This Internet-Draft will expire on September 3, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
14. Security Considerations . . . . . . . . . . . . . . . . . . . 10 14. Security Considerations . . . . . . . . . . . . . . . . . . . 10
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
15.1. Normative References . . . . . . . . . . . . . . . . . . 11 15.1. Normative References . . . . . . . . . . . . . . . . . . 11
15.2. Informative References . . . . . . . . . . . . . . . . . 11 15.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
[RFC4787], [RFC5382], and [RFC5508] greatly advanced Network Address [RFC4787], [RFC5382], and [RFC5508] contributed to enhance Network
Translation (NAT) interoperability and conformance. Operational Address Translation (NAT) interoperability and conformance.
experience gained through widespread deployment and evolution of NAT Operational experience gained through widespread deployment and
indicates that some areas of the original documents need further evolution of NAT indicates that some areas of the original documents
clarification or updates. This document provides such clarifications need further clarification or updates. This document provides such
and updates. clarifications and updates.
1.1. Scope 1.1. Scope
The goal of this document is to clarify and update the set of The goal of this document is to clarify and update the set of
requirements listed in [RFC4787], [RFC5382], and [RFC5508]. The requirements listed in [RFC4787], [RFC5382], and [RFC5508]. The
document focuses exclusively on NAT44. document focuses exclusively on NAT44.
The scope of this document has been set so that it does not create The scope of this document has been set so that it does not create
new requirements beyond those specified in the documents cited above. new requirements beyond those specified in the documents cited above.
skipping to change at page 10, line 15 skipping to change at page 10, line 15
14. Security Considerations 14. Security Considerations
NAT behavioral considerations are discussed in [RFC4787], [RFC5382], NAT behavioral considerations are discussed in [RFC4787], [RFC5382],
and [RFC5508]. and [RFC5508].
Because some of the clarifications and updates (e.g., Section 2) are Because some of the clarifications and updates (e.g., Section 2) are
inspired from NAT64, the security considerations discussed in inspired from NAT64, the security considerations discussed in
Section 5 of [RFC6146] apply also for this specification. Section 5 of [RFC6146] apply also for this specification.
The update in Section 3 allows for an optimized NAT resource usage. The update in Section 3 allows for an optimized NAT resource usage.
In order to avoid service disruption, the NAT MUST invoke this In order to avoid service disruption, the NAT must not invoke this
functionality only if packets are to be sent to distinct destination functionality unless the packets are to be sent to distinct
addresses. destination addresses.
Some of the updates (e.g., Section 7, Section 9, and Section 11) Some of the updates (e.g., Section 7, Section 9, and Section 11)
allow for an increased security compared to [RFC4787], [RFC5382], and allow for an increased security compared to [RFC4787], [RFC5382], and
[RFC5508]. Particularly: [RFC5508]. Particularly:
o The updates in Section 7 and Section 11 prevent an illegitimate o The updates in Section 7 and Section 11 prevent an illegitimate
node to maintain mappings activated in the NAT while these node to maintain mappings activated in the NAT while these
mappings should be cleared. mappings should be cleared.
o Port randomization (Section 9) complicates tracking hosts located o Port randomization (Section 9) complicates tracking hosts located
behind a NAT. behind a NAT.
Section 4 and Section 12 propose updates that increase the Section 4 and Section 12 propose updates that increase the
serviceability of a host located behind a NAT. These updates do not serviceability of a host located behind a NAT. These updates do not
introduce any additional security concerns to [RFC4787], [RFC5382], introduce any additional security concerns to [RFC4787], [RFC5382],
and [RFC5508]. and [RFC5508].
The updates in Section 5 and Section 6 allow for a better NAT The updates in Section 5 and Section 6 allow for a better NAT
transparency from an application standpoint. Hosts which require a transparency from an application standpoint. Hosts that require a
restricted filtering behavior should enable specific policies (e.g., restricted filtering behavior should enable specific policies (e.g.,
access control list (ACL)) either locally or by soliciting a access control list (ACL)) either locally or by soliciting a
dedicated security device (e.g., firewall). How a host updates its dedicated security device (e.g., firewall). How a host updates its
filtering policies is out of scope of this document. filtering policies is out of scope of this document.
The update in Section 8 induces security concerns that are specific The update in Section 8 induces security concerns that are specific
to the protocol used to interact with the NAT. For example, if PCP to the protocol used to interact with the NAT. For example, if PCP
is used to explicitly request parity preservation for a given is used to explicitly request parity preservation for a given
mapping, the security considerations discussed in [RFC6887] should be mapping, the security considerations discussed in [RFC6887] should be
taken into account. taken into account.
 End of changes. 7 change blocks. 
14 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.43. The latest version is available from http://tools.ietf.org/tools/rfcdiff/