draftietfbehavenatbehaviordiscovery01

1
draft-ietf-behave-nat-behavior-discovery-01

• Derek MacDonald
• Bruce Lowekamp

2
Changes from IETF-68

• Clarified that only stun servers with two IP
  addresses should use SRV entry
• Removed backward compatibility with 3489 clients
  (SHOULD NOT)
• PADDING mandatory
• Use MAPPED-ADDRESS to detect generic ALG

3
Feedback from List

• Non-normative
• hairpinning
• parallelization
• Detecting linux NATs
• slippery slope
• timing sensitive
• action include mention of timing sensitivity
• action examples of detecting specific NATs out
  of scope

4
Intended Status

• Current draft is PS. Given that we are all
  concerned about potential uses of these
  techniques, there may be concerns about this
  draft.
• BUT, there are legitimate uses of these
  techniques, and it is very important to document
  what they can and cant do.
• Applications might be able to use it
  legitimately.
• Question Change to experimental?

5
Open Issue 3489bis-07

• Needs revisions
• mostly straightforward
• can be SRV or pre-provisioned
• backward compatibility not required
• update IAB and Security considerations

6
Open Issue Cache-Timeout

• Response code 430 originally proposed for when
  server has lost state/secret allowing it to honor
  RESPONSE-ADDRESS
• Propose new error code to indicate must redo
  original Binding Request with CACHE-TIMEOUT
• Options
• 412 Conditional Request Failed
• something new?

7
Open Issue Shared Secret

• Currently says MUST use shared secret for
  RESPONSE-ADDRESS.
• No longer a clear way of acquiring secret.
• Proposal
• change to SHOULD use authentication
• servers MUST rate-limit if not authenticating

8
Open Issue Compatibility

• Previous conclusion was that 3489bis clients
  would ignore OTHER-ADDRESS and SOURCE-ADDRESS
• Backward compatibility now dropped.
• Options
• Request tag, change 3489bis, make responses
  optional, different ports.
• Proposal Make OTHER-ADDRESS and SOURCE-ADDRESS
  optional, change names