[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [BEHAVE] Re: CPE equipments and stateful filters

To: "'james woodyatt'" <jhw@apple.com>
Subject: RE: [BEHAVE] Re: CPE equipments and stateful filters
From: "Dan Wing" <dwing@cisco.com>
Date: Mon, 30 Jul 2007 12:15:11 -0700
Cc: "'IPv6 Operations'" <v6ops@ops.ietf.org>, "'Behave WG'" <behave@ietf.org>
In-reply-to: <44BC323E-454C-4B96-A0A5-2840B20137C5@apple.com>

> -----Original Message-----
> From: james woodyatt [mailto:jhw@apple.com] 
> Sent: Monday, July 30, 2007 11:31 AM
> To: IPv6 Operations; Behave WG
> Subject: [BEHAVE] Re: CPE equipments and stateful filters
...
> I'm currently looking at source code in OpenBSD PF that appears  
> designed to use IPv6-NAT to redirect application flows to userland  
> proxies for exactly this purpose.  IPv6 support for an FTP  
> "transparency helper" is on my list of things I expect to need, and  
> using an IPv6 NAT to redirect FTP control flows in and out of my  
> existing IPv4 FTP proxy looks like the obvious shortest path to  
> working code.  (Similar things will need to be done with all the  
> other major application protocols.)

Application-aware ALGs are bad.

Passive-mode FTP (using the "PASV" verb) has been supported on 
all modern FTP clients and FTP servers for a long time (going on a 
decade for most FTP clients and FTP servers).  Passive-mode FTP 
causes the TCP data connection to be initiated by the FTP client (as 
is the TCP control connection), which eliminates the need for any ALG 
or ALG-like function in NATs and in firewalls.  Is there a reason 
passive FTP can't simply be mandated for v6, so we can avoid FTP-aware
ALGs?

> If IPv6 NAT were truly obsolete, this wouldn't be the case, but it  
> is.  Hence, my warning.
> 
> Coming away from IETF 69 in Chicago, I'm now convinced that 
> IETF will  
> not be revisiting its consensus that the public IPv6 internet is  
> intended to be clients behind multiple layers of firewalls  
> communicating mainly through mediation services in data 
> centers.  I'm certain my employers will have no trouble 
> adapting to this reality.
>
> I'm no longer certain that IPv6 will ever be a suitable replacement  
> for IPv4/NAT in residential settings, but I see reasons to be 
> hopeful that all is not lost on that account.

I do hope you pursue a BoF in Vancouver to discuss the need for 
endpoints to communicate to firewalls in IPv6.

-d


> 
> --
> james woodyatt <jhw@apple.com>
> member of technical staff, communications engineering
> 
> 
> 
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www1.ietf.org/mailman/listinfo/behave

Follow-Ups:
- Re: [BEHAVE] Re: CPE equipments and stateful filters
  - From: james woodyatt <jhw@apple.com>
- Re: [BEHAVE] Re: CPE equipments and stateful filters
  - From: Gert Doering <gert@space.net>

References:
- Re: CPE equipments and stateful filters
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: I-D ACTION:draft-ietf-v6ops-teredo-security-concerns-00.txt
Next by Date: Re: CPE equipments and stateful filters
Previous by thread: Re: CPE equipments and stateful filters
Next by thread: Re: [BEHAVE] Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread