[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to include APBP scenarios in the Coexistence RequirementI-D

I just want to add a consideration or two for UPnP and NAT-PMP operation in a an environment where many households will share a single IPv4 address.
As I understand, UPnP does not have a mechanism to request a anonymous (or IGD/NAT-assigned port) whereas NAT-PMP does.
In UPnP, the ExternalPort may request a wildcard mapping which indicates all unused ports should be listened to (DMZ operation), but provides no facility to request an external port be assigned and notify the UPnP client of its value. Consider a theoretical game supports any high-port, in UPnP the client must request a mapping and specify the external port. If the port-number can be any value it is reasonable to assume a random function should find a free port within a few AddPortMapping requests.
NAT-PMP works differently, and does support the assignment of a high- numbered port of the NAT devices choosing (as it always responds to a mapping request with the Mapped External Port value).
Without having firsthand experience I understand some applications, such as Xbox Live, request/require specific ports to be opened - something that is impractical when many households share the same IP address. Point being that each application would need to support a NAT- assigned (or at least randomise the request for an) external port. I realise that it is no different from having multiple clients in a single household but it may present an issue in some cases. Also, I am not sure it is a good idea to allow external ports to be < 1024 for port mappings (which invariably have a liftetime) because of the potential for impersonation or interception of traffic. Restricting port mappings to only high-ports may also impact some applications.
All of these considerations leave me in two minds: do we go to the effort of inter-working UPnP/NAT-PMP with the invariable NAPT that must occur somewhere in the network accepting it will help some apps and not others; or, do we accept there are alternative methods for NAPT traversal and hole-punching that that do not require explicit signalling? If an application needs to be adapted to support either environment, perhaps the developers could include IPv6 transport and solve our problem.
Does anyone have experience with UPnP and multiple devices/apps behind the same IGD, and the external port numbers they request? 

Regards,

-David


On 17/07/2008, at 7:19 AM, Alain Durand wrote:


But, of course, all this has to be balanced with the security (or lack
thereof) of UPnP...

 - Alain.
On 7/16/08 4:50 PM, "Alain Durand" <alain_durand@cable.comcast.com> wrote: 


Dan,
Because there is only one level of NAT in dual-stack lite, couldn't this be simplified by asking the dual-stack lite home gateway to forward the UPnP 
message to the dual-stack lite carrier-grade NAT?

 - Alain.


On 7/16/08 2:03 PM, "Dan Wing" <dwing@cisco.com> wrote:


Following some privatly received comments of Dan Wing, the
standby phase hasn't be long, and the idea to possibly give up
APBP stands no longer !
I just posted draft-01, with I believe substantial simplifications 
and improved applicability.

Sorry for the one more change.
Allow me to elaborate a bit on our offline discussion over the weekend. 

I noticed all of the current proposals (SNAT, NAT64, NAT6, IVI,
dual-stack-lite, etc.) are quiet on a significant aspect of a requirement 
that
is important: keeping existing games and existing applications working. I 
am
thinking of game boxes like Microsoft's Xbox that need UPnP IGD in order to function properly over the Internet, and applications such as Microsoft Netmeeting (needs an H.323 ALG in the NAT), Quicktime and RealAudio streaming (RTSP), and so on. http://tools.ietf.org/html/rfc3027 does a good job of 
explaining the specifics.
A protocol which meets the requirements of APBP would allow UPnP IGD, 
NAT-PMP,
and appropriate ALGs to be in the subscriber-side CPE box, and allow using APBP to the carrier-owned NAT64/NAT44 box to obtain a real, publicly-routable v4 transport address. That publicly-routable v45 transport address would 
then
be used by the subscriber-side CPE in exactly the same way that today's 
subscriber-side CPE uses its own WAN transport address for the same
functions.
For UPnP IGD, the availability of APBP means a host that performs the UPnP getPublicIPAddress() API call would get a publicly-routable v4 transport address. Without APBP, a host performing that same function call would not 
get a v4 address at all.
Here is some beautiful ASCII art diagrams of the difference between today's UPnP IGD (and NAT-PMP) and what I am suggesting is useful (and necessary) for 
tomorrow's APBP in conjunction with UPnP IGD and NAT-PMP:


Today's UPnP IGD and NAT-PMP function at a high level:

+-----------------+
|incoming UPnP IGD|
|or NAT-PMP packet|
+----+------------+
    |
    V
+-------------+          +-----------------------+
|  need new   |-----YES->| create NAT binding    |
|NAT binding? |          |using NAT's WAN address|
+----+--------+          +---------+-------------+
    |                             |
    NO                            |
    |                             |
    V                             |
+----+---------------+             |
|respond to UPnP IGD |<------------+
|or NAT-PMP request  |
+----+---------------+


Change to UPnP IGD or NAT-PMP function inside of the subscriber NAT
(difference highlighted with "=" and capital letters):


+-----------------+
|incoming UPnP IGD|
|or NAT-PMP packet|
+----+------------+
    |
    V
+-------------+          +=========================+
|  need new   |-----YES->| SEND "APBP" MESSAGE     |
|NAT binding? |          | TOWARDS SP'S CARRIER NAT|
+----+--------+          +=========+===============+
    |                             |
    NO                            |
    |                             |
    V                             |
+----+---------------+             |
|respond to UPnP IGD |<------------+
|or NAT-PMP request  |
+----+---------------+

-d