[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CPE equipments and stateful filters
On Tuesday 24 July 2007 18:34:46 Fred Baker wrote:
> I think the right solution is an authenticated access protocol. If
> UPnP is publicly documented, fine, if James' protocol is the best
> bet, fine, and if it is something else, so be it. But a protocol that
> allows one to identify oneself and gain admittance on authorization
> provides for the concerns that you have. Someone from within can
> access out, the governing contract being the authorization to do so,
> and on AAA confirmation access in is granted, which enables someone
> with legitimate access privileges to access what they are authorized
> to access.
There might be a misunderstanding here. As far as I can tell, UPnP, NAT-PMP
and ALD all allow (unauthenticated) requests coming from the inside, and
discard any requests coming from the outside. In the physical world, most
locks can be undone without key from the inside, and only need a key from the
inside.
To be fair, I was told UPnP does support authentication. Only nobody uses it,
very much like almost nobody uses authenticated DHCP. I am sure James could
add some kind of authentication mechanism for ALD, but I doubt it would see
much real-life use. Unless people feel it should be usable from the outside,
much like you can open your house outside door with the appropriate key.
In any case, I think people advocating stateful firewalls on CPEs should
really get familiar with the work done in BEHAVE wg. I am very sorry that the
use and abuse of stateful firewalls in IPv4 world has lead to the unusability
of just about any IETF transport protocol but UDP (Christian already hinted
at this). If we are to require stateful firewalls for unmanaged network, we
REALLY REALLY REALLY need to clearly explain how TCP, SCTP, DCCP and any
other connection oriented protocol is expected to operate home-to-home. Not
doing that would be equivalent to stating that the only valid model for
unmanaged IPv6 is client at home and server in the server farm.
By the way, to amend James's slideset, only UDP really works with ICE (or any
form of hole punching), while TCP works to a very-lesser extent, and
everything else does not: DCCP, SCTP, IPsec...
My 2 cents,
--
Rémi Denis-Courmont