Re: IPv6-PMP?

[james woodyatt <jhw@apple.com>]

On Apr 10, 2007, at 14:37, Fred Baker wrote:
> Firewalls that permit the end to end principle to remain in force  
> are a good thing for networks.

Agreed.  Unfortunately, the default "firewall" in the initial version  
of AirPort Extreme base station was only a stateless one designed for  
the purpose of simply dropping packets that were obviously bogus from  
inspecting the headers.  It's still there, of course, but it's been  
enhanced in the default mode with a much more restrictive stateful  
one that must be turned off explicitly.  (Doing that is a complicated  
process that we expect most users will never do.)

Apple promptly responded to public concerns about the security risks  
associated with not enabling the stateful packet filter by default,  
but this has the side effect of not conserving the end-to-end  
principle.  The filter applies basically the same limitations on IPv6  
traffic as what network address translation demands from IPv4, i.e.  
inbound packets are only passed if they match state created by  
outbound flows.

> Where the so-called "personal firewall" on a desktop/laptop  
> protects the system, the firewall protects the investment in the  
> network and provides a second layer of defense for the host.
>
> Doesn't SOCKS/GSSAPI open pinholes in firewalls?

I don't think so.  My understanding of SOCKS is that it's for  
application layer proxies, not network layer stateful packet  
filtering firewalls.  I could be wrong.

> And the stateful firewalls I am most familiar with actually open  
> pinholes automagically. They observe SYN-etc messages going out and  
> open pinholes for the responses. Where one needs to do more is with  
> protocols where the originatig message is incoming. I would expect  
> (in keeping with the stateful firewalls I am most familiar with)  
> that this is done with an access list that allows SMTP to the  
> incoming mail server, WWW to the web server, and so on. A SIP proxy  
> can similarly open a pinhole for a SIP data call.

The problem arises when a new application protocol is deployed for  
which an application layer gateway has not been implemented in the  
stateful packet filter of the IPv6 gateway.

I can easily write an ALG for the file transfer protocol that  
inspects the FTP control stream for the PASV and PORT commands and  
punches pinholes for the inbound TCP data connection.  In fact, it's  
on my short list of immediate things to do.  This is a  
straightforward adaptation of the existing FTP ALG in our IPv4/NAT.   
I can do the same thing for SIP, and BitTorrent, and ISAKMP, and,  
and, and... but how do I support application protocols that haven't  
been designed yet?

What can we do to make it so new applications can be deployed over  
IPv6 without requiring the ALG set in stateful packet filters on  
every gateway to be upgraded to support them before they will work?   
I don't see how that can be accomplished without something that  
allows IPv6 nodes to solicit the packet filter to create a rule for  
allowing inbound flows to create state.  This facility exists today  
with IPv4/NAT through UPnP and NAT-PMP.  It's not there for IPv6 as  
far as I can tell.


--
j h woodyatt <jhw@apple.com>