[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6-PMP?



Hi,

On Mon, 16 Apr 2007 11:37:25 -0700
james woodyatt <jhw@apple.com> wrote:

> On Apr 14, 2007, at 17:29, Mark Smith wrote:
> >
> > Are you able to clarify the above a bit further? Are you saying  
> > that you're planning on implementing NAT for IPv6, so that you can  
> > "transparently" intercept connections/flows and have them processed  
> > by middleboxes in the network?
> 
> Yes.  I have to do this to make application layer gateways (ALG) for  
> IPv6 to be fully transparent.

They won't be "fully transparent". The devices on the public side of
the NAT will be able to detect them, or conversely, will break because
those devices or applications assume (quite reasonably, because that's
the (IPv6) Internet architecture) that there is a one-to-one mapping
between a network layer device and address.

Having had to deal with the problems that "transparent" ALG devices
cause at the network layer, I don't want to see them again. e.g.
traceroute doesn't show the path the traffic is actually taking, they
create performance bottle necks, you have to traffic engineer certain
traffic to always pass a certain point in the network so that the ALG
gets a look at it, they create problems with remote websites and
applications that very reasonably assume a one-to-one mapping between
an IP address and a user.

>  There are a lot of well-known problems  
> with trying to make ALG's operate on a packet-by-packet basis in the  
> IP filter before the TCP stack can reassemble the octet-stream.  It's  
> not too bad for FTP, but it's really perilous when you're trying to  
> handle RTSP and other applications that have complicated interactions  
> between application layers and the network layer.
> 

Can you describe some of those interactions ? As far as I'm aware RTSP,
as do other applicaton protocols above the transport layer, just use IP
as a dumb packet transport between specified IP addresses.

> I figure while I'm doing that, I might as well write a general  
> purpose IPv6 NAT.  I wish I didn't have to do this, but the security  
> considerations are pushing me into it.
> 

Can you detail those security considerations ? I'd find it hard to
believe that NAT is the only security technique (and personally I don't
really consider it to be one anyway) that solves your problem. What
unique property does NAT provide that no other alternative (such as
stateful firewalling with public addressing) doesn't? 

Regards,
Mark.