ext Melinda Shore wrote:
On 7/31/07 4:09 AM, "Aki Niemi" <aki(_dot_)niemi(_at_)nokia(_dot_)com> wrote:
Continuing on something heard at the technical plenary last week. There
were people complaining that while protocols like STUN/TURN and ICE are
traversing NAT, they are in fact bypassing firewall policies, which they
should not be doing.
I think it's more complicated than that.
1) there were complaints about the difficulties caused
specifically by firewalls (apart from NATs)
2) Eric said that the IETF is producing firewall traversal
protocols like ICE
3) I pointed out that ICE is a NAT traversal protocol, not
a firewall traversal protocol, and that a key functional
difference is that NATs don't really do policy (beyond
address policy) while firewalls are specifically policy
devices.
Where I think we differ is in what we think firewalls ought
to do. While the default policy of a residential firewall
probably should be something along the lines of "keep
unsolicited traffic out," enterprise policies tend to be and
should be a lot richer.
True, therefore it's not a good idea to group all firewalls together.
You draw a distinction between a NAT and a firewall; I would take this
further and draw a distinction between a NAT, a stateful firewall (a
close relative to NAT) and a stateless firewall (e.g., an enterprise
firewall).
STUN and ICE effectively work by side-effect, creating NAT
table mappings simply by passing data across the NAT. In the
firewall case you really must allow the firewall the possibility
to say "no," and you should give the firewall the data it
needs to make an informed decision. That data might include
application identification, user credentials - whatever
information is used as the basis for a policy decision. It's
also nice if you're able to tell the application that its
request has been denied so that it can fail and/or recover
gracefully.
While I agree that interacting with an enterprise firewall is probably
best done with an explicit control interface -- one where credentials
can be issued and authorization policies enforced -- I don't think it
necessarily means all firewalls are best handled this way. In fact, ICE
by default won't help you with the enterprise firewall, but it's exactly
the tool to use for the stateful firewall on a home router box.
Then again, if the enterprise so chooses, it could indeed deploy TURN as
this explicit control interface, rather than the SBC-type box typically
used today. ICE could accommodate this as well.
I also think the assumption that any media flows across a
firewall ought to be allowed is questionable, but that's a
somewhat different matter.
Again, depends on the firewall. In an enterprise this might not be a
reasonable assumption, but on the typical home router box, I very much
doubt whether it makes any difference if the flow carries VoIP or
internet radio streaming or a webcam feed. Why do you think it does?
Cheers,
Aki
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf