On Dec 14, 2015, at 4:14 PM, Alexey Eromenko <al4321(_at_)gmail(_dot_)com>
wrote:
Now, if we want to protect vs. data mangling by middleboxes, we need
to look not only at switches, but also at NAT Routers (including cheap
home routers, and load-balancers) -- those *can* mangle any TCP data,
and compute the wrong checksum there !
I’d like to be idealistic here, but the problem is fairly catastrophic and
widespread. Things like UDP/5060 are badly mangled by ALG, including my
favorite that you can remotely reboot many of the AT&T Uverse boxes by
sending them SIP frames for devices through their ALG/NAT44.
Most home gateways have some broken ALG that actually makes things worse,
including when Cisco originally implemented SIP ALG and broke the original
Apple “iChat A/V” SIP messages from working properly.
The workarounds we’ve been slowly moving to is shifting services to alternate
ports that aren’t damaged by these transparent and helpful devices. Our
instructions to users say “Turn off SIP-ALG” in your device, but things like
the carrier provided devices don’t expose these options depending on the
hardware revision, or just plain forget they have an internal interface for SIP
traffic and when you send them a check-config NOTIFY they consume it themselves
and crash/reboot.
I tried to report these problems, and captured many others when doing the
OpenResolverProject scans, including NATs that spoofed the source address
to their ALG-DNS ports/servers.
Middle boxes are a giant unmitigated disaster of mostly consumer or
carrier provided devices that undergo zero testing and are part of
what I’ve dubbed the “IoT” (Internet of Trash) which will never be upgraded
or be administered.
What you have instead is everyone performing an effective overlay or plain VPN
around these devices that damage traffic.
- jared