Re: The argument for writing a general purpose NAT for IPv6

[james woodyatt <jhw@apple.com>]

On Apr 19, 2007, at 07:39, Iljitsch van Beijnum wrote:
> However, let me propose a different direction for solving this:  
> rather than waiting until a port number is selected, put into a  
> control stream, then intercept that control stream, recover the  
> port number and open up the firewall, why not simply set aside a  
> range of port numbers for these types of purposes and let those  
> through the firewall?
>
> With IPv4 this wouldn't work because there has to be a mapping  
> between an private and a public address, but with IPv6 that's not  
> necessary.

An RTSP server may put any IPv6 address in the source attribute of a  
Transport header, so these ports would have to be open at all times  
to the whole Internet.  An RTSP server may *also* put any pair of UDP  
port numbers (starting on an even number) in the client_port  
attribute of a Transport header, so the ports that would have to be  
opened to the whole Internet include a very wide range, potentially  
*all* of them.

You're telling me that the way to solve the problem is allow all UDP  
packets through the filter.  And that's just to make RealPlayer and  
Quicktime work properly.  What about IPsec (without the ESP  
encapsulated in UDP) using ISAKMP?  Should I just pass all ESP  
packets through too?  I don't think this proposal will be met with  
much enthusiasm by the security experts at Apple who are already  
smarting over the embarrassing discovery noted earlier.

I'd like to direct members of the group interested in continuing this  
discussion about IPv6 filtering behaviors to the ongoing discussion  
in the BEHAVE working group.


--
j h woodyatt <jhw@apple.com>