[Swan-dev] how do you spell NAT Traversal options?

Paul Wouters paul at nohats.ca
Thu Apr 17 01:41:18 EEST 2014 

On Wed, 16 Apr 2014, D. Hugh Redelmeier wrote:

> I'm working at making the user-visible options more consistent.

Can you tell me what you mean with user-visible?

Do you mean pluto arguments as well as configuration options?

> There should only be one spelling of something.
>
> I'm going to replace all underscores _ in names with minus -.  (Old
> names will quietly work until we decide to pull the plug.)

So you're planning on adding a dozen new keywords?

> NAT Traversal seems to have the most confusing proliferation of
> spellings.  What should it be named?  These currently occur within
> names and I want to pick ONE:
>    nat
>    natt
>    nat-t
>    nattraversal
>    nat-traversal
> I lean towards "natt" as being concise and distinct.  "nat" also has
> merit.
>
> ==> which word would you choose?  Why?

stand alone I think "nat-t" is more intuitive than "natt", but if you
combine it, eg nat-t-ikport it becomes confusing natt-ike port is more
useful, although pronouncing "natt" over the phone is tricky, and "nat"
might be better for that.

> libipsecconf/keywords.c uses "nat_ikeport" and everything else uses
> "natikeport".  I imagine that this cannot work (but I don't really
> understand the plumbing). It seems to me that "nat-ikeport" is a
> better name.  But maybe the feature should just go away.

Please do not remove it. One of the "weak" points of IKE/IPsec is that
it is very easy to block, because you just block UDP 500 and proto
50/51. With ESPinUDP we have port UDO 4500. It is possible right now
to specify both the IKE port and the NATT IKE port to a different
number, avoiding censorshop/filtering. While this is not a negotiated
option, if both ends agree they can do this circumvention.

But we should indeed add a test case to test if this feature of moving
both ports works as expected. I'll do that.

> The documentation suggests that if you use this, you might confuse the
> kernel.  This should be explained.

I'm not sure what the documentation says, but the confusion relates to
the "udp (4)500 holes" that might need to change to different ports.

> ==> is natikeport being used?  Why?  Can I delete it?

nat_ikeport= seems to match the other configuration options. If
everything goes to using "-", we should pick nat-ikeport=

> ==> Which spelling would you choose?  Why?
>
>
> keep_alive SEEMS to be the way to specify a global "delay for NAT-T
> keep-alive packets".  A HORRIBLE name.  Can we rename it?  I don't
> even understand the description in ipsec.conf(5).  Is it how long we
> will wait for an incoming keep-alive, or how long we'll wait before
> sending one?  Or something else?

The name comes from the RFCs:
 	https://tools.ietf.org/html/rfc3948#section-2.3
 	https://tools.ietf.org/html/rfc3947#section-3.2

Keepalives are only send by the endpoint behind NAT. The option is the
maximum idle time for an IKE+IPsec SA combination (both go to UDP 4500
of the remote peer). If that idle time is reached, we sent a keepalive
packet to prevent the NAT router from timing out its NAT mapping.

(earlier versions did not meassure idleness and depended on just the
  timer to always send a keepalive - still the case for KLIPS as we
  don't have the right calls to ask if the IPsec SA is idle in KLIPS)

Note this used to be a global option (now ignored) and is now a per-conn
option.

> ==> what would be a good name for this "delay"?

nat-keep-alive= ?
nat-max-idle-time= ?

Note that some coordination with the enable/disable name should be done
as well. The global force_keepalive=yes|no was replaced with the
nat_keepalive=yes|no per-conn option (note that you cannot have conn
options that have the same name as a global option)

So I guess such an option could be called nat-idle-send-keepalives= or
something? Or perhaps than use nat-idle-max-time= and
nat-idle-send-keepalives= ?

Feel free to remove the obsolete options' documentation, though it would
be nice to start a wiki page with a list of the obsoleted options and a
pointer to the option it is replaced with. Which reminds me that we need
to generate our man pages in html as well under libreswan.org/manual/

> programs/pluto/whack.c usage:
> --no-nat_keepalive

When we added a new global option that would change the default
behaviour, we wanted that _not_ specifying the option
would not change the default behaviour. So sometimes that mean adding the
option as a negative, eg --no-nat_keepalive. This option is not
--nat_keepalive to enable it because the default was "enabled".

Paul

More information about the Swan-dev mailing list