an update on me

Dave Taht dave.taht at gmail.com
Thu Feb 16 13:19:38 UTC 2012 

On Thu, Feb 16, 2012 at 8:30 AM, Francis Dupont <fdupont at isc.org> wrote:
>> To expand on what Francis said, as it relates to the CPE:
>> What we have is a modified miniupnpd. This proxies UPnP and NAT-PMP to
>> PCP, but only over DS-Lite (it doesn't make a local NAT mapping, but
>> just passes the PCP request to AFTR).

Where is the tree or patches? I note that I presently do *everything*
in public, and have standardized on github as my default git
repository.

The only things that aren't public are merely because I haven't had
time to do so.

My immediate thought would be to slam the existing miniupnp + patches
into my 'ceropackages' https://github.com/dtaht/ceropackages repo, and
grant everyone that needs it commit privs (just tell me your account
name, and/or send me the patch)

While I'm at this, is there a more modern AFTR than 1.1? I'd built it,
last year, recoiled at the default nat timeout, and not played with it
since.

> => short terminology:
>  - Home Gateway (aka CPE, with an accent on the residential aspect)

I tend to overuse 'CPE' (which is a ISP-centric term) as, in contrast,
'home wireless routers' is longer but more accurate (also, being a
competitive marketplace with a different purchasing model)

>  - CGN (Carrier Grade NAT, named also LSN for Large Scale NAT):
>  a big NAT run by an ISP which is used by subscribers (BTW
>  this notion of subscribers is the real difference between a CGN
>  and a big NAT, and has critical consequences on security)
>  - DS-Lite: put the ISP infrastructure over IPv6 so IPv4 is transported
>  in IPv6 tunnels.

> Tunnel end-points are named B4 (Home Gateway)
>  and AFTR (CGN).

That was the point that I'd missed. Somehow 'B4' strikes me as rather
confusing terminology.

> => there are at least 3 interesting schemes:
>  - (standard) DS-Lite one: the Home Gateway (aka B4) encapsulates
>  the IPv4 traffic over IPv6 to the CGN (aka AFTR) which decapsulates
>  and translates it. For this case we support an IWF (InterWorking
>  Function, a piece of software which takes UPnP IGD v1 and v2,
>  NAT-PMP and PCP requests from home aand converts them to PCP
>  requests sent to a PCP server colocated with the AFTR) based
>  on a heavily hacked miniupnpd named b4iwf in recent distribs.

"b4iwf" needs some googlejuice.

>  - (standard) NAT444 where the IPv4 traffic is translated twice,
>  first by the embedded NAT in the Home Gateway, and a second
>  time by the CGN. We don't have support for this, cf the next
>  item by Paul. BTW the use of a PCP proxy with an embedded NAT
>  function raises an intrinsic security issue which makes IMHO
>  the corresponding spec hard to go through the IETF.


>  - standard Home Gateway: what we have today, the ISP provides
>  a routable IPv4 address and the Home Gateway translates the
>  IPv4 traffic using it. We have a miniupnpd (BTW with all the
>  shortcomings of it, I didn't fix them as this should have
>  implied a whole rewrite and perhaps some kernel hacking too)
>  which is extended to support PCP too (code named miniupnpd
>  in recent distribs).



>
>> We've got a contract with Juniper (separate from the SD-NAT work) to
>> work on PCP, which includes a deliverable to make the CPE work in a
>> NAT444 scenario (i.e. make a local NAT mapping, and request a
>> corresponding mapping from the CGN). This is my next task.

To what extent must this work be 'private'?


>> We've run this code on various WRT54G gear, and on WNDR3700(v1), with
>> stock OpenWrt Backfire 10.03.

> => BTW is there an easy way to recognize WNDR3700 v1, if possible
> just looking at the box?

the wndr3700v1 has no 'v1' on the version string.

This has pictures of the box and back of a wndr3700v2.

http://www.bufferbloat.net/projects/bismark/wiki/Wndr3700v2

As online resellers make no distinction usually between v1,v2,v3 - and
they are all different hardware! - the safest thing to do at this
point is to get a 3800, or go retail so you can see the side of the
box.

I did manage to get 3700v2s via amazon.fr back in october...


> Regards
>
> Francis Dupont <fdupont at isc.org>



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net

More information about the sdcpe-devel mailing list