[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The argument for writing a general purpose NAT for IPv6

To: IETF V6OPS WG <v6ops@ops.ietf.org>
Subject: Re: The argument for writing a general purpose NAT for IPv6
From: james woodyatt <jhw@apple.com>
Date: Thu, 19 Apr 2007 13:34:59 -0700
In-reply-to: <0829DAE3-60A9-4918-8834-715B93665D39@muada.com>
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <200704111052.05934@auguste.remlab.net> <F26D69F6-8BEE-4D3D-A5B4-C730E9975DA1@apple.com> <200704112214.30985@auguste.remlab.net> <F65A3EA3-3E07-4C63-A4FF-C94832D556FC@apple.com> <70C6EFCDFC8AAD418EF7063CD132D06404352E36@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <courier.46248EB6.00006E0C@softhome.net> <1F310BCB-2EE0-441B-BB2F-67DF3EA6ABF4@apple.com> <AC0FBA28-A14B-466E-B1D6-16E4F4EB2036@muada.com> <1139442A-99C2-458D-A7ED-0833D3CFE358@apple.com> <0829DAE3-60A9-4918-8834-715B93665D39@muada.com>

On Apr 19, 2007, at 12:47, Iljitsch van Beijnum wrote:

On 19-apr-2007, at 19:44, james woodyatt wrote:
An RTSP server may *also* put any pair of UDP port numbers(starting on an even number) in the client_port attribute of aTransport header, so the ports that would have to be opened to thewhole Internet include a very wide range, potentially *all* of them.
That seems strange. Wouldn't the client want to have some say inthe port number it needs to open up?

I wasn't involved in the design of the RTSP protocol.

But if we can define a range of port numbers that will pass throughfirewalls, then obviously we can tell RTSP servers to use justthese ports.

There is no mechanism for RTSP servers to learn what ports theyshould be constrained to use. Perhaps you mean we can tell RTSPserver *administrators* to use just the ports we think areappropriate. Alas, there is no mechanism for doing that, either.

You're telling me that the way to solve the problem is allow allUDP packets through the filter. And that's just to makeRealPlayer and Quicktime work properly.
That's one option. But if the RTSP protocol is so unusual in thisrespect that it can't live in an uPnP/NAT-PMP world, another optionwould be to change the protocol. Some mechanism to allow for theproxying that you need but without the address fakery makes sense,but that may be hard to accomplish.

I have neither the option of changing the RTSP protocol nor the meansto force RTSP server administrators to use a limited range of clientports. I have to make Quicktime and RealPlayer streaming, as theyexist today, work properly and sooner rather than later.

What about IPsec (without the ESP encapsulated in UDP) using ISAKMP?

What do you mean by that? Packets with ip6->nextheader == ESP?

Yes.

These are extremely simple firewall-wise: it's yes or it's no toall of them. Obviously a firewall device can't be an ISAKMP proxy,unknown entities in the middle messing with your packets is exactlywhat IPsec is supposed to protect you against.

I think you might have missed an important part of the discussion.The problem is that outbound IKE initiations only punch holes for thewell-known ISAKMP port. They do not also punch holes for theassociated inbound ESP packets without the assistance of an ISAKMP-aware gateway, i.e. basically an ALG for ISAKMP and IPsec flows.

ESP packets that don't match any state at the host will be rejectedpromptly without any adverse effects, so I don't see any reason toinvest a lot of effort to make sure only ESP packets that matchknown state through the firewall device.

Without an ISAKMP ALG in the gateway, ESP packets that *DO* matchstate at the endpoint node will be rejected by the firewall.

I'd like to direct members of the group interested in continuingthis discussion about IPv6 filtering behaviors to the ongoingdiscussion in the BEHAVE working group.
In my experience, mailing list hopping halfway through a discussiondoesn't work too well. It would be good if the v6ops people couldreach some conclusion (and hopefully, consensus) on these issues.

I'm happy to continue the discussion separately or cross-posted toboth working groups, as necessary.

If BEHAVE and V6OPS think relaxing the constraints on what inboundpackets should be rejected by stateful packet filters in residentialIPv6 gateway devices, then I'll take those recommendations to Apple'ssecurity team and see if they feel comfortable relaxing the behaviorof future AirPort base station products. At the moment, however, therecommendation is clear: no inbound packets should be passed unlessthey are associated with state matching flows initiated by local nodes.

I will agree: the more we can relax the constraints in question, theless need there will be to implement ALG's for IPv6 firewalls, and*therefore* the less demand there may be for the development of IPv6general purpose NAT, which is the topic of this particular thread ofdiscussion. That would certainly help.

I'm very pessimistic, however, that we can eliminate *all* of theimpetus to implement ALG's for IPv6 firewalls without removing theconstraint on inbound flows entirely, or by the implementation of anapplication listener discovery protocol for firewalls. I'm moreoptimistic about the potential of the latter alternative than I amabout the former. To that end, I am drafting a proposal for solvingthis problem with a new ICMP sub-protocol.


--
j h woodyatt <jhw@apple.com>

Follow-Ups:
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Magnus Westerlund <magnus.westerlund@ericsson.com>
- RE: The argument for writing a general purpose NAT for IPv6
  - From: "Tony Hain" <alh-ietf@tndh.net>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Long term vs short term, was: Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- I-D ACTION:draft-ietf-v6ops-nap-06.txt
  - From: Internet-Drafts@ietf.org
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- RE: IPv6-PMP?
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: IPv6-PMP?
  - From: Thomas Narten <narten@us.ibm.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: EricLKlein@softhome.net
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: The argument for writing a general purpose NAT for IPv6
Next by Date: Long term vs short term, was: Re: The argument for writing a general purpose NAT for IPv6
Previous by thread: Re: The argument for writing a general purpose NAT for IPv6
Next by thread: Long term vs short term, was: Re: The argument for writing a general purpose NAT for IPv6
Index(es):
- Date
- Thread