[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BEHAVE] RE: Firewall control

To: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Subject: Re: [BEHAVE] RE: Firewall control
From: james woodyatt <jhw@apple.com>
Date: Tue, 20 Nov 2007 14:18:05 -0800
Cc: Melinda Shore <mshore@cisco.com>
In-reply-to: <C36322BC.2DED8%mshore@cisco.com>
References: <C36322BC.2DED8%mshore@cisco.com>

On Nov 16, 2007, at 07:34, Melinda Shore wrote:

On 11/16/07 10:27 AM, "Rémi Denis-Courmont" <remi.denis-courmont@nokia.com> wrote:
Uh? UPnP is about mapping external ports to internal ones, andgetting the
external address of the middlebox. Now, if that's not NAT centric...
The last time I looked at it it also included firewall pinholing.

There are hints that UPnP IGD 2.0 may support firewall pinholing inIPv6 whenever it's eventually published. I have seen no publicdocuments yet, but I would be very surprised if this feature isinserted into the specification by any method beyond thestraightforward method of extended the XML schemas to allow IPv6addresses and, possibly, to note that no NAT is necessary.

A firewall that has an "advanced" policy such as what you'll findin a typicalcorporate network most certainly does not want to be controlledanyway.

Back when we were trying to figure out what to call this work there
was a strong "suggestion" from Scott Bradner to call it "middlebox
communication" because we didn't want to imply that the endpoint or
its proxy was actually going to be controlling anything.  The problem
here isn't to allow applications to open pinholes on firewalls, but
rather for applications to request these network resources, give the
network/firewall sufficient information to say "yes" or "no," and
give the network a mechanism to communicate its decision back to the
endpoint.

I'd like to point out that my ALD proposal is very deliberatelypresented with an inverted perspective on this. The problem I triedto address is to give the stateful firewall a chance to discoverapplication endpoint addresses that policy requires it to exempt fromthe general prohibition on blocking incoming packets not conformingto any existing state created by tracking the flow of outbound packets.

ALD is absolutely *NOT* a mechanism for applications to "control"firewalls, or even to "request" firewalls to open pinholes for them.It is a mechanism for firewalls to discover application listeners, sothat incoming flows for those applications can be delivered to themproperly, even when applications don't know in advance where thoseflows will originate. Notice that ALD notifications go from nodes tofirewalls, and acknowledgements are sent by firewalls solely for thepurpose of telling nodes to stop sending notification retries. Noinformation is provided by firewalls to applications beyond that.This is quite intentional.

I think firewalls should be as transparent as possible, except whenpolicy requires them to intervene.

In my humble opinion, ALD's primary virtue is that it correctlyplaces the burden on the firewall not to destroy network transparencyunnecessarily. To that end, it aims to define a way for IPv6 nodeimplementations to provide firewalls with enough information tobehave transparently in the face of passive listening applications.It does not try to inform applications of the state of firewalls inthe network.

We all still think applications shouldn't have to care, right?

I also think it's worth noting that any proposal for nodes/applications to communicate with firewalls to solve these sorts ofproblems will inevitably involve disclosing the addresses ofapplication passive listener endpoints when their users may not beexpecting it. I don't know how to prevent that from happening andstill comply with the recommendations described in RFC 4864 andexpanded in draft-ietf-v6ops-cpe-simple-security, but I don't thinkmany participants here think this is a sensible securityconsideration. Furthermore, I suspect many network operators will bevery interested in mining the information stream produced byprotocols of this class.

This is another virtue of ALD. It gives operators the potential forsome snooping goodness they can't get with current IPv6implementations, and it does so *without* larding their firewallsdown with a lot of extra work trying to inform applications of thingsthey shouldn't need to know.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Prev by Date: Re: I-D ACTION:draft-ietf-v6ops-rfc3330-for-ipv6-01.txt
Next by Date: Re: question about draft-durand-v6ops-natv4v6v4-00
Previous by thread: RE: [BEHAVE] RE: Firewall control
Next by thread: I-D Action:draft-ietf-v6ops-teredo-security-concerns-01.txt
Index(es):
- Date
- Thread