Title: NAT requirements for TCP (BEHAVE WG)
 1NAT requirements for TCP(BEHAVE WG)
- draft-sivakumar-behave-nat-tcp-req-00.txt
S.Sivakumar, K.Biswas, B.Ford 
 2Scope 
- Recommendations to NAT implementors as pertaining 
 to TCP session processing.
- At the time of writing of this draft, 
 ltdraft-ford-behave-gen-00.txtgt was not available.
 Recommendations that are not specific to TCP or
 UDP will be moved to ltdraft-ford-behave-gen-00.txt
 gt, pending WG consensus.
3Req  1  TCP State Machine(SM)
- TCP NAT Sessions MUST be stateful. NAT MUST use 
 light-weight TCP State Machine for managing
 timers, seq/ack adjustments etc.
- TCP NAT Sessions can be light-weight and must 
 carry three states at a minimum  STARTUP,
 ACTIVE, CLOSING.
- A TCP NAT Session enters STARTUP state upon 
 seeing the first SYN for a TCP session.
- A TCP NAT Session enters ACTIVE state upon 
 completing 3-way handshake.
- A TCP NAT Session enters CLOSING state upon 
 seeing FIN or RST for the session.
4Req  2 - Address/Port Binding 
- NAT MUST maintain Address Binding and/or TCP Port 
 Binding. Multiple TCP NAT Sessions could reuse
 the same TCP Port Binding.
- The filtering behavior of NAT for TCP sessions is 
 as dictated by the NAT type (traditional,
 Bi-directional, Twice NAT types).
- Port parity, Port-contiguity - Some suggestions 
 have been made to specifically mention about
 port-parity, port-contiguity not being applicable
 to TCP traffic. Needs discussion?
5Req  3  TCP SM Timeouts
- NAT MUST maintain timeouts for different states 
 of state machine in a TCP NAT Session.The
 timeouts MUST be configurable.
- NAT MUST maintain SYN Timer to protect against 
 SYN flood-attacks in STARTUP state. Suggested
 timeout 30 to 60 secs.
- NAT MUST maintain Session Timer to track 
 idle-time on active TCP sessions. Suggested
 timeout 60 mins if no KeepAlive implemented and
 120 minutes if KeepAlive implemented.
- NAT MUST maintain Close Timer, to allow for 
 proper session termination, and to allow
 re-opening a recently closed or reset TCP session
 if desired. NAT can delete the TCP NAT session
 Upon expiry of Close timer, or enter STARTUP
 state and initiate SYN timer upon receipt of SYN.
 Suggested timeout 2xMSL (Maximum Segment
 Lifetime) to 60 seconds.
6Req  3  TCP Keep-alive
- Upon Session Timer expiry, NAT SHOULD enter a 
 "probe" state and send TCP keep-alive packets to
 internal endpoint.
- Upon receiving ACK or data traffic, NAT should 
 reset Session Timer and remain in ACTIVE state.
- Upon receiving RST, NAT should forward the RST to 
 External Server, enter CLOSING state and start
 Close Timer.
- Upon not receiving any response after a few 
 retries, NAT should send RST to both parties,
 enter CLOSING state and start Close Timer.
7Req  4 - Port Reservation
- NATs TCP Port space is shared by 2 functions 
-  (a) Routers local end-host functionality 
-  (b) Routers NAT functionality 
- NAT MUST NOT use a single TCP port for both NATd 
 sessions and local application sessions at the
 same time.
- Recommendation NAT implementers SHOULD set 
 aside port-blocks for end-host functionality vs.
 NAT functionality.
8Req  5 - IP Frags,TCP Segments
- IP Fragments Suggest moving this to 
 draft-ford-behave-gen-00.txt
- TCP Segment processing - Recommended only when 
 ALGs are enabled on the same NAT device. Not
 mandatory requirement.
- NAT SHOULD support TCP Segments received out of 
 order. TCP Segment processing SHOULD be as
 described in the draft.
- NAT SHOULD enforce sequencing on the out-of-order 
 TCP segments such that NAT reassembles the TCP
 segments prior to handing off to an ALG.
- NAT SHOULD send TCP ACK to the endpoint (when a 
 segment is out of order) for obtaining subsequent
 segments from the endpoint.
9Req  6 - Seq/Ack  adjustment
- Recommendation for NAT only when ALGs are enabled 
 on the same device. Not mandatory requirement.
- If NAT has ALG enabled, the ALG might cause 
 application-payload to increase/decrease in size.
 The ALG will need to change seq/ack number in the
 TCP header  save this information along with the
 delta of change in the TCP NAT Session, so as to
 adjust subsequent TCP packets of the session.
- If NAT has ALG enabled, the TCP NAT Sessions 
 SHOULD be extended to include seq-delta,
 ack-delta info in the TCP NAT Session.
10Req  7 - ICMP Err-Msg handling 
- NAT SHOULD fix the embedded payload in the ICMP 
 Error messages. This is not specific to TCP.
 Suggest moving this to draft-ford-behave-gen-00.tx
 t.
11New Reqs (Not included yet)
- NAT must generate  process PMTU msgs for TCP 
 packets
- TCP packets often have DF(Donot Fragment) bit set 
 will require devices enroute to not fragment
 TCP segments. If MTUs donot match, NAT MUST send
 a destination unreachable ICMP message with
 suggested MTU to the sender  drop the TCP
 packet.
- NAT must also honor the ICMP destination 
 unreachable messages it receives from
 intermediate nodes in either realm and forward to
 appr. end-node
12Wrap-up
- Comments/Suggestions ? 
- (We plan to summarize the requirements at the 
 end, and move the text common to both TCP  UDP
 to draft-ford-behave-gen-00.txt, based on WG
 inputs )
- Accept as WG item ? 
13Differences between 2 TCP submissions 
-  Both drafts (Sivakumar-draft  
 Modadugu-draft) are similar in content. So,
 common Reqs are not listed. Below are the main
 differences
-  TCP State Machine requirement 
-  sivakumar-draft states that NAT MUST maintain 
 a light-weight TCP state-machine.
-  
-  modadugu-draft doesnot mandate this. 
14Differences between 2 TCP submissions
- Port reservation requirement 
-  sivakumar-draft recommends that NAT SHOULD 
 set aside ports for local TCP applications
 running on the box and avoid port-number
 conflicts.
-  
-  modadugu-draft does not provide a 
 recommendation.
- TCP Timers requirement 
-  sivakumar-draft recommends that NAT MUST 
 maintain SYN, Session  Close timers
-  modadugu-draft discusses timers, but does 
 not list them as a requirement.
15Differences between 2 TCP submissions
- TCP KeepAlive requirement 
-  sivakumar-draft recommends this as a SHOULD, 
 without making this a mandatory requirement
-  modadugu-draft does not offer a 
 recommendation (author believes this is not
 needed).
- TCP Segments handling requirement 
-  sivakumar-draft recommends this as a SHOULD 
 only when ALG enabled on the NAT.
-  modadugu-draft does not offer a 
 recommendation (Author believes this is not
 needed)
16Differences between 2 TCP submissions
- Allow Incoming SYN requirement 
-  sivakumar-draft does not offer an explicit 
 recommendation on this.
-  modadugu-draft recommends that NAT MUST allow 
 incoming SYN while a Nat Session is alive (ex in
 CLOSING state)
- Paired Source-IP address pooling behavior 
 requirement
-  sivakumar-draft does not offer a 
 recommendation on this.
-  (draft-ford-behave-gen-00.txt covers this) 
-  modadugu-draft recommends that a NAT SHOULD 
 support IP address pooling behavior of Paired,
 if NAT supports IP address pooling.
17Differences between 2 TCP submissions
- Finally, some stylistic differences 
-  Sivakumar-draft lists the requirements as you 
 go along. Summary requirements intended to be
 listed at the end.
-  
-  Modadugu-draft lists the requirments first 
 similar to behave-udp draft, followed by
 discussion on the requirements.