I'm trying to locate an RFC that spells out the behavioral
requirements, expectations or guidelines for NAT handling of the IP ID
field, particularly for UDP messages.
If this is not written down anywhere, do NATs generally rewrite the ID
field with or without the MF bit set?
I don't know.
We had a discussion about this in the BEHAVE working group while working on
stateful IPv6-to-IPv4 translation. Unless I missed something, the ID field
uniqueness for any combination of source, destination IP addresses and
Assuming the source address doesn't change, this means an ID counter should be
maintained per destination address + protocol pair, so the maximum number of
packets can be transmitted for each such pair before an ID value is reused.
would be the optimal host behavior, and NATs should act like hosts in this
regard. Reusing the ID field from the original packet has a much higher chance
of seeing the same ID field for outstanding fragments of a different flow,
can cause undetected data corruption in 1 in 65535 cases when the TCP/UDP
checksum doesn't catch this.
The same applies to other TCP and IP header fields.
draft-gont-behave-nat-security contains some discussion of this.
Curious; RFC2402 says
" Flags -- This field is excluded since an intermediate router might
set the DF bit, even if the source did not select it."
which is a licence to set the bit but I had not thought to reset the bit.
RFC791, RFC1122 and RFC1812 would appear to be silent on this.
I'm curious abut RFC 2402, then. Firstly, the host might not implement
PMTUD, and hence setting the DF bit on its behalf could possibly cause
interoperability problems. Secondly, some hosts clear the DF bit if the
advertised MTU in an ICMP "frag needed" is below some specified
threshols. This RFC2402-behavior could cause problems in this scenario, too.
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Ietf mailing list