[111634] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Mon Feb 9 18:24:56 2009
Date: Mon, 09 Feb 2009 17:24:51 -0600
From: Stephen Sprunk <stephen@sprunk.org>
To: Ricky Beam <jfbeam@gmail.com>
In-Reply-To: <op.uo3ulbnwtfhldh@rbeam.xactional.com>
Cc: north American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
This is a cryptographically signed message in MIME format.
--------------ms030308060208060107090906
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Ricky Beam wrote:
> On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
> <stephen@sprunk.org> wrote:
>> Non-NAT firewalls do have some appeal, because they don't need to
>> mangle the packets, just passively observe them and open pinholes
>> when appropriate.
>
> This is exactly the same with NAT and non-NAT -- making any anti-NAT
> arguments null.
>
> In the case of NAT, the "helper" has to understand the protocol to
> know what traffic to map.
>
> In the case of a stateful firewalling ("non-NAT"), the "helper" has to
> understand the protocol to know what traffic to allow.
>
> Subtle difference, but in the end, the same thing... if your gateway
> doesn't know what you are doing, odds are it will interfere with it.
> In all cases, end-to-end transparency doesn't exist. (as has been the
> case for well over a decade.)
Yes, an ALG needs to understand the packet format to open pinholes --
but with NAT, it also needs to mangle the packets. A non-NAT firewall
just examines the packets and then passes them on unmangled.
This mangling can be a serious source of problems. With UDP, it can
introduce checksum errors. With TCP, not only do you have possible
checksum errors, you also have to mangle the sequence numbers in both
directions if the length of the payload changes. The mangling will
inherently break standard IPsec and other "shim" layers like HIP. And
let's not forget that NAT makes widespread deployment of any L4
alternative to TCP and UDP (e.g. SCTP) virtually impossible, forcing
every new transport or shim protocol to inefficiently ride on top of TCP
or UDP...
Some protocols, e.g. SIP/RTP, also work fine through a stateful firewall
even without an ALG in most cases -- but not when you add in NAT.
S
--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
--------------ms030308060208060107090906
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJBzCC
At4wggJHoAMCAQICEFkNnc5PR4SyuzPK7tBOkNAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTExMDE5MDk1MFoX
DTA5MTExMDE5MDk1MFowRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8G
CSqGSIb3DQEJARYSc3RlcGhlbkBzcHJ1bmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAu1acv8o2sG+Npj/JMg2NI90BBfw4+qtHaanVWrnApTfaqH3Z6W1FUY5JNO+d
XSgYe8V54kPuUK1w9uiqKCgBrQy87lXfJ2elbXjN+KPGAKmbrxCFCfEwHFll1nFlgER9MHJJ
AT8L7r7h+uRxABjvyrOMCXkgG4RiNaFPiyvH4Rqb9R0NxcawaKCzMh11Q+uRgyv1Or8ajYuD
R+9Jm6VNxKFwY+e0JjAUzD28viKJcafK60UFdIRyGKrHYM0K44kKcsmiQV7nsGo4mM7QVsV5
PyKD8Ea5BV/6orxKviKwq4yff+rr++zQxHlQa8tzMnrPQSl9f2C9tbQ/GGnodjaExQIDAQAB
oy8wLTAdBgNVHREEFjAUgRJzdGVwaGVuQHNwcnVuay5vcmcwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQUFAAOBgQAqaXuxwkf+k8FyHecPNHdLCViVnza6NoBi+8LP+u8Io1BZDn5oa8Gf
20DXN2sHQRRqCIsFNCBDG86T/zWzb7UYcToxCONu0IEA8UfP4y9Qdp2/IU68T0tfzwddEIhb
jQMoEGKaS9NDFRyJR8RyU4EUgjIJOe8iOCt47TvhqCo4oDCCAt4wggJHoAMCAQICEFkNnc5P
R4SyuzPK7tBOkNAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTExMDE5MDk1MFoXDTA5MTExMDE5MDk1MFowRDEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSc3RlcGhl
bkBzcHJ1bmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1acv8o2sG+N
pj/JMg2NI90BBfw4+qtHaanVWrnApTfaqH3Z6W1FUY5JNO+dXSgYe8V54kPuUK1w9uiqKCgB
rQy87lXfJ2elbXjN+KPGAKmbrxCFCfEwHFll1nFlgER9MHJJAT8L7r7h+uRxABjvyrOMCXkg
G4RiNaFPiyvH4Rqb9R0NxcawaKCzMh11Q+uRgyv1Or8ajYuDR+9Jm6VNxKFwY+e0JjAUzD28
viKJcafK60UFdIRyGKrHYM0K44kKcsmiQV7nsGo4mM7QVsV5PyKD8Ea5BV/6orxKviKwq4yf
f+rr++zQxHlQa8tzMnrPQSl9f2C9tbQ/GGnodjaExQIDAQABoy8wLTAdBgNVHREEFjAUgRJz
dGVwaGVuQHNwcnVuay5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAqaXux
wkf+k8FyHecPNHdLCViVnza6NoBi+8LP+u8Io1BZDn5oa8Gf20DXN2sHQRRqCIsFNCBDG86T
/zWzb7UYcToxCONu0IEA8UfP4y9Qdp2/IU68T0tfzwddEIhbjQMoEGKaS9NDFRyJR8RyU4EU
gjIJOe8iOCt47TvhqCo4oDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ
BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr
MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw
MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla
HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW
y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js
MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x
MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf
qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l
X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQWQ2dzk9H
hLK7M8ru0E6Q0DAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0wOTAyMDkyMzI0NTFaMCMGCSqGSIb3DQEJBDEWBBTEsQmY7iiLhO0j
ZN58J6ir4ml+ozBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAE
MXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFkN
nc5PR4SyuzPK7tBOkNAwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFkNnc5PR4SyuzPK7tBOkNAwDQYJKoZIhvcN
AQEBBQAEggEAkTq1nSL/GbzNBiAuD5McvT9YRfZGAOMkgb1vf8C6WerUWc/9/sNemkES9T5J
HaF0VeP/xQnxGI0Zu3IvMr/0AvYNv/JH79Me4fzKXNwIfNxFfLkucPthY1x9nTZWeedRibiW
m4wwtJuSZw5oGYcQBAk6TZokrNMS+kTBHyEOc8UMZBK5Plzam1LlErfLidX9+49HGPBgMXU8
2DLCNH4IPT9gmuG4ExtdcwpAyNvKyFQujbIjvQy9N1bRvCNYuM3FAIsAn1b7c/kEsjTNuqtk
DgxN/1Gok/81csGKneHkEMQuiDK+AOTOs3zygGirqYTkP+2Ld+QHq6bY3ZNlQgtR/AAAAAAA
AA==
--------------ms030308060208060107090906--
