[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BEHAVE] Re: CPE equipments and stateful filters
On Jul 30, 2007, at 12:15, Dan Wing wrote:
Application-aware ALGs are bad.
They are better than nothing.
Passive-mode FTP (using the "PASV" verb) has been supported on
all modern FTP clients and FTP servers for a long time (going on a
decade for most FTP clients and FTP servers). Passive-mode FTP
causes the TCP data connection to be initiated by the FTP client (as
is the TCP control connection), which eliminates the need for any ALG
or ALG-like function in NATs and in firewalls. Is there a reason
passive FTP can't simply be mandated for v6, so we can avoid FTP-aware
ALGs?
No. Passive-mode FTP is broken for exterior clients connecting to
interior servers by stateful packet filters. Merely allowing the FTP
control port through the filter to the interior server is
insufficient. Requiring FTP clients and servers to use TCP
simultaneous open for data connections could address this problem,
but I've been using FTP as an example to illustrate the wider problem
with applications in general.
We still have an open problem regarding IKE and IPsec ESP/AH, and I
don't see a comparable way to resolve it without an application
transparency helper or by allowing inbound ESP/AH by default. It
remains to be seen whether consensus will emerge around the latter
solution, so I contend the former remains an open problem.
There are similar issues with RTSP and RTCP/RTP flows. And other
existing application protocols. Not to mention applications not
imagined by their developers yet. And and and. So long as the IPv6
architecture is defined such that communications between endpoints
are always expected to originate with nodes behind firewalls and
mediated by services in data centers, we will be saddled with the
need for either 1) application transparency helpers inside network
firewalls, and/or 2) an improvement to the core IPv6 specifications
along the lines of my Application Listener Discovery (ALD) proposal.
I do hope you pursue a BoF in Vancouver to discuss the need for
endpoints to communicate to firewalls in IPv6.
I'm working on socializing that plan with my management.
--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering