-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: update NAT address discovery design document #4659
base: master
Are you sure you want to change the base?
Conversation
As I remember it, the advantage wasn't simplicity (IP/UDP/SCION/STUN would also be simple) but a general viewpoint that STUN should operate on the underlay because it solves an underlay problem. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @jdslab)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @jdslab, @jiceatscion, @JordiSubira, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @jdslab, @jiceatscion, @JordiSubira, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @jiceatscion, @JordiSubira, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r2.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @jiceatscion, @JordiSubira, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed all commit messages.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @jdslab, @jiceatscion, @JordiSubira, @lukedirtwalker, @oncilla, and @tzaeschke)
doc/dev/design/NAT-address-discovery.rst
line 69 at r3 (raw file):
Also note that the NAT issue only exists for traffic between separate ASes. If both the client and the server are located within the same AS, the server can simply send returning packets to the underlay source address of the client (which is visible to the server in this case).
Add a note that this is unfortunately only possible for servers that are listening on ports which don't get routed through a SHIM dispatcher.
Code quote:
Also note that the NAT issue only exists for traffic between separate ASes. If both the client and the server are located within
the same AS, the server can simply send returning packets to the underlay source address of the client (which is visible to the server in this case).
I would probably not mention any of the reversing, the reversing is just obvious and hasn't changed in any way. Instead, I would probably emphasize the "underlay":, e.g. "For communication... to the underlay source address instead of the SCION source address." |
Previously, marcfrei (Marc Frei) wrote…
By the time this goes into a release, there are hopefully no more dispatchers :-) |
Insert space: "RFC 5389"'? |
Previously, tzaeschke (Tilmann) wrote…
I think the NAT issue also exists with intra-AS, it is just solved differently. I would rephrase it to something like: "For intra-AS traffic, the NAT problem can be solved be changing the implementation servers such that return packets are always sent to the underlay address instead (which may be a NATed address)of the SCION source address." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @jiceatscion, @JordiSubira, @lukedirtwalker, @marcfrei, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @jiceatscion, @JordiSubira, @marcfrei, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @JordiSubira, @marcfrei, and @oncilla)
doc/dev/design/NAT-address-discovery.rst
line 69 at r3 (raw file):
Previously, tzaeschke (Tilmann) wrote…
I think the NAT issue also exists with intra-AS, it is just solved differently. I would rephrase it to something like: "For intra-AS traffic, the NAT problem can be solved be changing the implementation servers such that return packets are always sent to the underlay address instead (which may be a NATed address)of the SCION source address."
I agree that the NAT issue does exist just as well intra-AS: Sunrise has SCION, but I doubt it does me much good with the non-routable address they give me. However, can't we assume that the exact same STUN tactics can be used intra-AS? That is: use the nearest BR as a stun server - on the inside? I know you'll tell me that if the client is behind a symmetric NAT, then it won't work. But that's fine, because if an AS is configured like that internally, then it just violates the SCION protocol entirely: the underlay address is supposed to be a valid endhost address; not some random thing. Am I missing something? I am not too fond of the idea that we can skirt the issue by reversing the underlay header; that assumes that in all cases the underlay header remains associated with the rest of the SCION packet until such time that a response is warranted. It also excludes any kind of NAT-ed SCION server, which sucks exactly as much as it does in the IP world.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My objection to the intra-AS solution shouldn't be viewed as blocking. Intra-AS NAT support can be introduced later and need not be tied to the inter-As solution.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @JordiSubira, @marcfrei, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @JordiSubira, @marcfrei, and @oncilla)
Symmetric NAT may be one issue, but another one is that an AS may be divided into multiple subnets separated by NATs. That means, different border routers may be seeing different NATed addresses. The problem is then that we need to figure out which border router is in the same subnet as the destination host, and there may not be any border router in that subnet. The only way I see to avoid using the underlay is having endhosts implement STUN servers, so before I send anything to a destination host, I first STUN them to get my NATed address. Compared to that, it seems simpler to me to use the underlay, but we can discuss this if people disagree? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes the possibility of adding stun server to every endpoint crossed my mind. Sounds brutal, but might not be that bad. It'd be basically the same code, just enabled in more places. Yet, I have a hard time imagining what internal network topology would make that necessary. May be it'd be worth showing an example? As I said, we don't really need to solve it right now. It could be a subsequent effort... even if it leads to generalizing the stun server to every end-point, it would still reuse the stun server code from the inter-AS case, so not much would be wasted.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @JordiSubira, @marcfrei, and @oncilla)
@jiceatscion
Does that make sense? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r4, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @JordiSubira, @marcfrei, and @oncilla)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @jdslab, @marcfrei, and @oncilla)
doc/dev/design/NAT-address-discovery.rst
line 69 at r3 (raw file):
Previously, jiceatscion wrote…
I agree that the NAT issue does exist just as well intra-AS: Sunrise has SCION, but I doubt it does me much good with the non-routable address they give me. However, can't we assume that the exact same STUN tactics can be used intra-AS? That is: use the nearest BR as a stun server - on the inside? I know you'll tell me that if the client is behind a symmetric NAT, then it won't work. But that's fine, because if an AS is configured like that internally, then it just violates the SCION protocol entirely: the underlay address is supposed to be a valid endhost address; not some random thing. Am I missing something? I am not too fond of the idea that we can skirt the issue by reversing the underlay header; that assumes that in all cases the underlay header remains associated with the rest of the SCION packet until such time that a response is warranted. It also excludes any kind of NAT-ed SCION server, which sucks exactly as much as it does in the IP world.
I would also add that on the long term, we cannot assume how packets will be dispatched to end hosts. Mainly, if we ever have kernel support, packets may get encapsulated again to a fix port, so that they can be routed internally by intra-AS middleware. In that sense, ideally, this solution should work also in this case.
The problem really is, which is the "nearest" STUN server? And in which subnet is it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r4, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @FR4NK-W, @jdslab, and @oncilla)
@lukedirtwalker @oncilla @jiceatscion @JordiSubira @marcfrei @FR4NK-W Apologies for opening this up again but we came up with a new idea that we may want to discuss. The idea is to let border routers rewrite the source address/port (replace it with the underlay src address/port) on packets on the way out. Previously this idea was dismissed because it would not work with SPAO where the SCION SRC/DST addresses are protected fields. If we were to change SPAO to allow this kind of rewriting of SRC addresses and SRC ports, the NAT solution could became a whole lot simpler.
SPAO may anyway need some changes because it is unclear how it works with DRKeys, specifically how clients behind a NAT can get distinct DRKeys instead of sharing one key (unless sharing is okay). We think it may be worth discussing this in more detail, maybe in the upcoming open-source meeting? Comments? |
No need. Better take the time to arrive at the best possible solution.
That sounds both simple and disturbing. In fact, I found it disturbing for a while that the effect of NAT leaks out of the underlay. Trying to think about it from an abstract networking stack perspective, I wonder if the layering violation isn't already implicit in the SCION forwarding code. We just assume that the link-layer address (since that's what the underlay address is from the SCION network perspective) is contained verbatim in the network address. I guess avoiding any address resolution protocol is a worthy goal, but may be we should accept that there needs to be some form of resolution. In the router, the forwarding to a local host is named "ResolveLocalDst()". so, I'm not the first one to think that some non-trivial "resolution" could be in order. For example we could keep a map that we populate from packets received from local sources. The map would not need to store the common case identity mapping. I can take my answer from next Tuesday's discussion.
Agree. Consider it added to the agenda. |
Updated design document for NAT support as announced in #4630.