[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BEHAVE] Re: CPE equipments and stateful filters

To: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Subject: Re: [BEHAVE] Re: CPE equipments and stateful filters
From: james woodyatt <jhw@apple.com>
Date: Mon, 30 Jul 2007 12:51:23 -0700
In-reply-to: <02ed01c7d2dd$f4b90500$c5f0200a@amer.cisco.com>
References: <02ed01c7d2dd$f4b90500$c5f0200a@amer.cisco.com>

On Jul 30, 2007, at 12:15, Dan Wing wrote:


Application-aware ALGs are bad.


They are better than nothing.

Passive-mode FTP (using the "PASV" verb) has been supported on
all modern FTP clients and FTP servers for a long time (going on a
decade for most FTP clients and FTP servers).  Passive-mode FTP
causes the TCP data connection to be initiated by the FTP client (as
is the TCP control connection), which eliminates the need for any ALG
or ALG-like function in NATs and in firewalls.  Is there a reason
passive FTP can't simply be mandated for v6, so we can avoid FTP-aware
ALGs?

No. Passive-mode FTP is broken for exterior clients connecting tointerior servers by stateful packet filters. Merely allowing the FTPcontrol port through the filter to the interior server isinsufficient. Requiring FTP clients and servers to use TCPsimultaneous open for data connections could address this problem,but I've been using FTP as an example to illustrate the wider problemwith applications in general.

We still have an open problem regarding IKE and IPsec ESP/AH, and Idon't see a comparable way to resolve it without an applicationtransparency helper or by allowing inbound ESP/AH by default. Itremains to be seen whether consensus will emerge around the lattersolution, so I contend the former remains an open problem.

There are similar issues with RTSP and RTCP/RTP flows. And otherexisting application protocols. Not to mention applications notimagined by their developers yet. And and and. So long as the IPv6architecture is defined such that communications between endpointsare always expected to originate with nodes behind firewalls andmediated by services in data centers, we will be saddled with theneed for either 1) application transparency helpers inside networkfirewalls, and/or 2) an improvement to the core IPv6 specificationsalong the lines of my Application Listener Discovery (ALD) proposal.

I do hope you pursue a BoF in Vancouver to discuss the need for
endpoints to communicate to firewalls in IPv6.


I'm working on socializing that plan with my management.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- RE: [BEHAVE] Re: CPE equipments and stateful filters
  - From: "Dan Wing" <dwing@cisco.com>
- Re: [BEHAVE] Re: CPE equipments and stateful filters
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

References:
- RE: [BEHAVE] Re: CPE equipments and stateful filters
  - From: "Dan Wing" <dwing@cisco.com>

Prev by Date: Re: [BEHAVE] Re: CPE equipments and stateful filters
Next by Date: Re: [BEHAVE] Re: CPE equipments and stateful filters
Previous by thread: RE: [BEHAVE] Re: CPE equipments and stateful filters
Next by thread: Re: [BEHAVE] Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread