In your previous mail you wrote: => I leave the draft-penno-* unclear items to Reinaldo...
> > (note: 1- it should be not what we want as it makes CPEs trivial > > to track, 2- it doesn't remove the mandatory check on source ports > > in the from CPE to the Internet way) > > Med: I failed to get your first point. Could you please clarify? Thanks. => when what you can see from the Internet is a big port range per customer it is trivial to track/trace customers. So what I call "none" algorithm (i.e., no port translation by the SD-CGN) or "direct" algorithm (i.e., port translation by adding a constant, the difference between the first/base port of ranges) are bad according to (quoting draft-tsou-softwire-port-set-algorithms-analysis): A good port set definition algorithm must be reversible, easy to implement, and should be able to define non-continuous or random port sets for better security, be able to exclude the well known ports, 0 ~ 1023 or 0 ~ 4095, etc. (BTW the last point doesn't apply to ICMP echo IDs) The note is about no second NAT, i.e., "none" algorithm. > Med: applications using referral need to know the external IP address. => this comment is about the second NAT so as it doesn't translate the IP address is out of context (but I agree there are more needs for the external address than the external port) > > => no such specific: > > - it makes the reasonable assumption than IPv4 addresses are assigned > > using DHCPv4 > > Med: It is not "reasonable" when you don't have a DHCPv4 server but use PCP > for instance. => PCP doesn't provide your IPv4 address. In fact, if you don't know your assigned IPv4 address you can't run PCP, nor any applications over IPv4 (note DHCPv4 is not over IPv4 exactly for this reason). > Med: We don't have the constraint of MAP so I would not exclude > pseudo-random port set algos (see > draft-tsou-softwire-port-set-algorithms-analysis-01#section-3.3) => I have no concern about them as soon as enough information is given to SD-CPEs (including SD-B4s in the DS-Lite case) so they can compute external ports as visible from the Internet. Regards francis.dup...@fdupont.fr PS: in fact for implementing a PCP/NAT-PMP/UPnP-IGD/etc service on a SD-CPE you need the SD-CGN algo parameters to implement: - something giving the next local (i.e., SD-CPE WAN side) external port. Note ++ is never enough as one must stay inside the allowed port range. - something (I call it map) giving the external port as visible from the Internet from the local external port value (i.e., applying the SD-CGN algo in the CPE to Internet way). Note this must not fail when the input is a valid (i.e., in range) value. - something (I call it unmap) giving the local external port from the value as visible from the Internet. Note this can be failed if the port doesn't belong to the customer translated port range (nothing really new: we already know a random external port is likely unavailable on a CGN). _______________________________________________ Softwires mailing list Softwires@ietf.org https://www.ietf.org/mailman/listinfo/softwires
