Hi Yiu, Sending back an ICMP message when receiving a port out of range should be configurable IMHO.
When receiving a port out of range, the behaviour of REQ#12 (A, B and C) of http://tools.ietf.org/html/draft-ietf-behave-lsn-requirements-05#section-3 can be followed by the AFTR. No need to define a new ICMP message for this; ICMP message Type 3 Code 13 is fine for this. Cheers, Med >-----Message d'origine----- >De : [email protected] >[mailto:[email protected]] De la part de Lee, Yiu >Envoyé : mardi 20 mars 2012 16:39 >À : Alain Durand; Qi Sun >Cc : Softwires WG; draft-cui-softwire-b4-translated-ds-lite; >[email protected] >Objet : Re: [Softwires] draft-penno-softwire-sdnat vs. >draft-cui-softwire-b4-translated-ds-lite > >Today, if a user generates a packet using an illegal IPv4 >source address, >what would we do? We could drop the packet silently by doing >source-verify. So, tomorrow if a user use illegal port, IMHO >AFTR should >drop the packet silently. > > >On 3/20/12 9:06 AM, "Alain Durand" <[email protected]> wrote: > >>It is necessary because the AFTR is the only place where we >can enforce >>IPv4 ingress filtering, ie put ACLs to check >>that the incoming tunneled traffic from any given customer is using a >>legitimate IPv4 address and source port. >>When the incoming traffic does not match those ingress >filtering rules, >>an ICMP error message must be returned. >>The idea in SD-NAT is to use this ICMP message to carry the >information >>about the correct port range to use. > _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
