[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPE equipments and stateful filters

To: Fred Baker <fred@cisco.com>, v6ops@ops.ietf.org
Subject: Re: CPE equipments and stateful filters
From: Rémi Denis-Courmont <rdenis@simphalempin.com>
Date: Tue, 24 Jul 2007 19:31:19 +0300
In-reply-to: <319C5A3B-939C-48BD-AF65-93E41F09406B@cisco.com>
Organization: Remlab.net
References: <20070723193610.70736233CB@coconut.itojun.org> <319C5A3B-939C-48BD-AF65-93E41F09406B@cisco.com>
User-agent: KMail/1.9.6

On Tuesday 24 July 2007 18:34:46 Fred Baker wrote:
> I think the right solution is an authenticated access protocol. If
> UPnP is publicly documented, fine, if James' protocol is the best
> bet, fine, and if it is something else, so be it. But a protocol that
> allows one to identify oneself and gain admittance on authorization
> provides for the concerns that you have. Someone from within can
> access out, the governing contract being the authorization to do so,
> and on AAA confirmation access in is granted, which enables someone
> with legitimate access privileges to access what they are authorized
> to access.

There might be a misunderstanding here. As far as I can tell, UPnP, NAT-PMP 
and ALD all allow (unauthenticated) requests coming from the inside, and 
discard any requests coming from the outside. In the physical world, most 
locks can be undone without key from the inside, and only need a key from the 
inside.

To be fair, I was told UPnP does support authentication. Only nobody uses it, 
very much like almost nobody uses authenticated DHCP. I am sure James could 
add some kind of authentication mechanism for ALD, but I doubt it would see 
much real-life use. Unless people feel it should be usable from the outside, 
much like you can open your house outside door with the appropriate key.

In any case, I think people advocating stateful firewalls on CPEs should 
really get familiar with the work done in BEHAVE wg. I am very sorry that the 
use and abuse of stateful firewalls in IPv4 world has lead to the unusability 
of just about any IETF transport protocol but UDP (Christian already hinted 
at this). If we are to require stateful firewalls for unmanaged network, we 
REALLY REALLY REALLY need to clearly explain how TCP, SCTP, DCCP and any 
other connection oriented protocol is expected to operate home-to-home. Not 
doing that would be equivalent to stating that the only valid model for 
unmanaged IPv6 is client at home and server in the server farm.

By the way, to amend James's slideset, only UDP really works with ICE (or any 
form of hole punching), while TCP works to a very-lesser extent, and 
everything else does not: DCCP, SCTP, IPsec...

My 2 cents,

-- 
Rémi Denis-Courmont

Follow-Ups:
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>
- Re: CPE equipments and stateful filters
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: CPE equipments and stateful filters
  - From: james woodyatt <jhw@apple.com>
- Re: CPE equipments and stateful filters
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino)

References:
- CPE equipments and stateful filters
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino)
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: CPE equipments and stateful filters
Next by Date: Re: Comments on addr-select-sol
Previous by thread: Re: CPE equipments and stateful filters
Next by thread: Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread