Re: [BEHAVE] Re: CPE equipments and stateful filters

[james woodyatt <jhw@apple.com>]

On Jul 30, 2007, at 15:47, Dan Wing wrote:
> [I wrote:]
> > There are similar issues with RTSP
>
> RTSP control traffic over TCP?

Yes.  As seen in QuickTime and RealPlayer applications.

> > and RTCP/RTP flows.
>
> At this point, ICE (draft-ietf-mmusic-ice) is believed to provide
> a viable, incrementally deployable mechanism for IPv4 and IPv6,
> including if you're behind a NAT or firewall if that NAT or firewall
> allows packets from inside->outside to create permissions for
> outside->inside; most NATs available to consumers work like that
> and all firewalls can be configured like that.

Existing code (which does support IPv6) has no support for ICE.

Even in the event ICE isn't deployed, how do you recommend I resist  
the inevitable pressure to implement an application transparency  
helper for these A/V streaming applications?  I'm still having to  
maintain ALG's in IPv4/NAT for various VPN protocols even though we  
have long had standards track protocols for IPsec encapsulated in UDP  
and negotiating NAT traversal of IKE.

I'm expecting to have to implement a helper for IKE and IPsec ESP/AH  
in IPv6.  Without it, I expect route optimization in Mobile IPv6 to  
be broken, since mobile nodes are supposed to bind with their home  
agents using an IPsec ESP security association.  In fact, the more I  
read about route optimization in MIPv6, the more convinced I am that  
it represents the most glaring illustration yet of our failure to  
consider properly the implications of recommending the widespread  
deployment of stateful middlebox packet filtering in IPv6 networks.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering