RE: [Speermint] NATs and Firewalls
"Reinaldo Penno" <rpenno@juniper.net> Wed, 05 April 2006 20:33 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FREh6-0005hA-HS; Wed, 05 Apr 2006 16:33:36 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FREh5-0005h5-Gu for speermint@ietf.org; Wed, 05 Apr 2006 16:33:35 -0400
Received: from borg.juniper.net ([207.17.137.119]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FREh4-0003dV-LS for speermint@ietf.org; Wed, 05 Apr 2006 16:33:35 -0400
Received: from unknown (HELO proton.jnpr.net) ([10.10.2.37]) by borg.juniper.net with ESMTP; 05 Apr 2006 13:33:32 -0700
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.04,90,1144047600"; d="scan'208"; a="541248044:sNHT29313676"
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Speermint] NATs and Firewalls
Date: Wed, 05 Apr 2006 16:33:31 -0400
Message-ID: <9BD5D7887235424FA97DFC223CAE3C2802DFE5F1@proton.jnpr.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Speermint] NATs and Firewalls
Thread-Index: AcZY76KNZWV3urZ5RJWs8nNOMaX6oQAAGSkw
From: Reinaldo Penno <rpenno@juniper.net>
To: Marshall Eubanks <tme@multicasttech.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9aa22b77adc37e7d33e29644e4dc0b33
Cc: Peter Macaulay <peter.macaulay@ZDSL.com>, speermint@ietf.org
X-BeenThere: speermint@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mailing list for the speermint working group <speermint.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/speermint>, <mailto:speermint-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/speermint>
List-Post: <mailto:speermint@ietf.org>
List-Help: <mailto:speermint-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/speermint>, <mailto:speermint-request@ietf.org?subject=subscribe>
Errors-To: speermint-bounces@ietf.org
An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne Department of Computer Science Columbia University, New York NY 10027 {salman,hgs}@cs.columbia.edu September 15, 2004 > -----Original Message----- > From: Marshall Eubanks [mailto:tme@multicasttech.com] > Sent: Wednesday, April 05, 2006 1:29 PM > To: Reinaldo Penno > Cc: Peter Macaulay; Drage, Keith (Keith); speermint@ietf.org > Subject: Re: [Speermint] NATs and Firewalls > > > On Apr 5, 2006, at 4:00 PM, Reinaldo Penno wrote: > > > Oh...The "S" word. I thought that was banned or something... > > > > Well, Columbia people performed a recent study on Skype. It uses a > > version of STUN to bypass firewall without the "other" user knowing it > > is a STUN server. There are other things it does that one would frown > > upon. > > Can you give a reference ? I am aware of > > http://saikat.guha.cc/pub/iptps06-skype.pdf and > http://www.brynosaurus.com/pub/net/p2pnat.pdf > > but no paper from Columbia. > > Regards > Marshall > > > > > On the other hand during the VON conference is San Jose I had the > > pleasure to participate in the big Pow Wow about P2P SIP. Most of the > > debate was centered on Skype. The impression I had when I left the > > room > > was that skype's success has nothing to do with it being P2P, but its > > ease of use and ability to overcome NAT/Firewalls. So, making sure our > > peer arch works well when endpoints in different domains are behind > > NATs, seems pretty important. > > > > Of all the NAT traversal methods, media relay (a typical SBC function) > > is one of the most foolproof. The call flow and the translation it > > needs > > to do are complex but it can overcome legacy NATs without any client > > modification (maybe symmetric RTP). > > > > Of course a SIP traversal method in the client itself bundled with the > > application software (or OS) would be simpler and have a higher > > adoption > > (as in skype). I guess the problem today is that there is no single > > solution. What you have is a set of methods. I guess others are better > > suited to talk about this topic in detail. > > > > Regards, > > > > Reinaldo > > > >> -----Original Message----- > >> From: Peter Macaulay [mailto:peter.macaulay@ZDSL.com] > >> Sent: Wednesday, April 05, 2006 6:59 AM > >> To: Drage, Keith (Keith); speermint@ietf.org > >> Subject: RE: [Speermint] NATs and Firewalls > >> > >> Agree. Let's avoid the term "SBC" in the speermint area. We don't > >> need the history lesson and the term is still evolving. I just > > finished > >> a Skype call and did not use a SBC to peer with my one in 6 million > > users. > >> > >> Yes, let's just define the requirements ... Edge Proxy, NAPT, Media > > Proxy, > >> Security Firewall and NAT/firewall traversal. > >> > >> /PETER MACAULAY > >> > >> At 05:23 AM 4/5/2006, Drage, Keith (Keith) wrote: > >>> And to support Richard on this. > >>> > >>> Please avoid using the term "SBC" in the speermint area. Please > >>> clearly identify the function of these supposed wonder boxes that > >>> you are addressing as an area of concern or advantage. Therefore if > >>> you mean NAT, say NAT, if you mean firewall, say firewall, if you > >>> mean something else, say so. These boxes contain so many features > >>> (in the widest sense of the word) that in the absence of specific > >>> information we get lost. > >>> > >>> regards > >>> > >>> Keith > >>> > >>>> -----Original Message----- > >>>> From: Stastny Richard [mailto:Richard.Stastny@oefeg.at] > >>>> Sent: 04 April 2006 18:15 > >>>> To: Hadriel Kaplan; Patrick Melampy; Reinaldo Penno; > >>>> speermint@ietf.org > >>>> Subject: [Speermint] NATs and Firewalls > >>>> > >>>> > >>>> I think some people out there either do not understand > >>>> the difference between NATs and firewalls or are starting > >>>> to believe their own propaganda > >>>> > >>>> NATs are NATs and firewalls are firewalls > >>>> > >>>> The worst misconception here is that a NAT is for providing > >>>> you security > >>>> against the bad Internet > >>>> > >>>> Private adress spaces have been introduced to save a scarce > > ressource > >>>> (or what some believed are a scarce ressource at some point of > > time) > >>>> > >>>> You can live very safe behind a properly configured firewall > >>>> using only > >>>> public IP adresses. > >>>> > >>>> The basic idea of IPv6 was to give every device on earth and also > >>>> within the solar system a unique public IP address > >>>> > >>>> But the fake security of NATs was already in the minds of > >>>> most people, that the first things that were implemented > >>>> in IPv6 where NATs for IPv6, which is a perversion > >>>> > >>>> Geoff Huston had once a nice eleborate on this in an IETF paper > >>>> > >>>> Richard > >>>> > >>>> ________________________________ > >>>> > >>>> Von: Hadriel Kaplan [mailto:HKaplan@acmepacket.com] > >>>> Gesendet: Di 04.04.2006 18:22 > >>>> An: Stastny Richard; 'Patrick Melampy'; 'Reinaldo Penno'; > >>>> speermint@ietf.org > >>>> Betreff: RE: [Speermint] Reachability > >>>> > >>>> > >>>> > >>>> Hi Richard, > >>>> And here we get to the fun stuff. :) > >>>> > >>>> The idea of every serving proxy/registrar/sip-node needing to > >>>> be publicly > >>>> addressable is neither an Internet requirement, nor a > >>>> requirement of the > >>>> IETF. Entire working groups in the IETF concern themselves > >>>> with allowing, > >>>> enabling, and inter-working private address spaces and VPNs. > >>>> What's missing > >>>> is how to join them at the application and transport layer, when > > that > >>>> application layer embeds addressing in itself. > >>>> > >>>> Most consumers on the planet Earth are in private address > >>>> spaces at this > >>>> point I think (i.e., 192.168.x.x), and many Enterprises are > >>>> as well. Entire > >>>> networks in some countries are privately addressed, yet they > >>>> are members of, > >>>> and use, the Internet. There are also now 2 disjoint address > >>>> groups defined > >>>> by the IETF, as you know: IPv4 and IPv6. There are > >>>> mechanisms to try to > >>>> provide interoperation/migration support for them, but that > > typically > >>>> requires intermediaries. > >>>> > >>>> So I agree with you there needs to be an entity providing an > >>>> ingress (and > >>>> egress) point(s), either on the public network for it to be > >>>> public, or for > >>>> it to cross into another private address domain. For this > >>>> WG's purpose, I > >>>> recommend we allow either model to work, as well as the model > >>>> of the private > >>>> going to public (and vice-versa) so long as the peering > >>>> element of both > >>>> sides are in the same public or private space. > >>>> > >>>> -Hadriel > >>>> > >>>> > >>>>> -----Original Message----- > >>>>> From: Stastny Richard [mailto:Richard.Stastny@oefeg.at] > >>>>> Sent: Tuesday, April 04, 2006 9:55 AM > >>>>> To: Patrick Melampy; Reinaldo Penno; Hadriel Kaplan; > >>>> speermint@ietf.org > >>>>> Subject: Re: [Speermint] Reachability > >>>>> > >>>>>> The conclusion here -- every endpoint and every serving > >>>> proxy/registrar > >>>>>> needs to be publicly addressable. > >>>>> > >>>>> This was my basic assumption, and I seemed not so clear to > >>>> everybody. > >>>>> This was also why I had a problem with Sohel's presentation > >>>> at the IETF, > >>>>> because I did not see any public adressable entities AT ALL. > >>>>> > >>>>> For the avoidance of doubt: I have no problem if the same > > peering > >>>>> principles we develop here are used between some entities > >>>> in a private > >>>>> network, > >>>>> but it is not out task to consider this separately. Because > >>>> if it works > >>>>> on the Internet, it also works in a private network > >>>> (extranet in this > >>>>> case) > >>>>> (see DNS). this private network may even use public IP > >>>> adresses, but if > >>>>> the > >>>>> are not routable from the public Internet, they are could as > > well be > >>>>> private > >>>>> (example IPX) > >>>>> > >>>>> What never can work is a peering between one entity on the > >>>> public network > >>>>> and one on a private network. The private entities need at > >>>> least to have > >>>>> one > >>>>> ingress element on the public network > >>>>> > >>>>> Richard > >>>>> > >>>>> ________________________________ > >>>>> > >>>>> Von: Patrick Melampy [mailto:PMelampy@acmepacket.com] > >>>>> Gesendet: Di 04.04.2006 15:29 > >>>>> An: 'Reinaldo Penno'; 'Hadriel Kaplan'; speermint@ietf.org > >>>>> Betreff: RE: [Speermint] Reachability > >>>>> > >>>>> > >>>>> > >>>>> Reinaldo -- I agree with your assertions. > >>>>> > >>>>> But I want to ensure everybody understands what your really > >>>> saying here. > >>>>> > >>>>> Before somebody mentions it...for a UA behind a NAT to be > >>>> reachable, > >>>>> he/she needs a public NAT binding so that a session > >>>> _initiated_ from the > >>>>> public side can be made to him/her. > >>>>> > >>>>> This means that for carrier to carrier peering models, each > >>>> and every > >>>>> customer of every carrier that wants to inter-connect needs > >>>> to have a > >>>>> 'public NAT binding'. > >>>>> > >>>>> I believe by extension, this means that a serving > >>>> proxy/registrar for the > >>>>> target of a communication must ALSO have either a public > >>>> address or a > >>>>> public > >>>>> NAT binding. > >>>>> > >>>>> The conclusion here -- every endpoint and every serving > >>>> proxy/registrar > >>>>> needs to be publicly addressable. > >>>>> > >>>>> Am I correct? > >>>>> -----Original Message----- > >>>>> From: Reinaldo Penno [mailto:rpenno@juniper.net] > >>>>> Sent: Tuesday, April 04, 2006 5:29 AM > >>>>> To: Hadriel Kaplan; speermint@ietf.org > >>>>> Subject: RE: [Speermint] Reachability > >>>>> > >>>>> Hello Hadriel, > >>>>> > >>>>> Comment inline.... > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: Hadriel Kaplan [mailto:HKaplan@acmepacket.com] > >>>>>> Sent: Monday, April 03, 2006 11:01 PM > >>>>>> To: Reinaldo Penno; speermint@ietf.org > >>>>>> Subject: RE: [Speermint] Reachability > >>>>>> > >>>>>> Hi Reinaldo, > >>>>>> Comments inline... > >>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: Reinaldo Penno [mailto:rpenno@juniper.net] > >>>>>>> > >>>>>>> Maybe I'm missing something, but given that this workgroup > > is > >>>>> interested > >>>>>>> only in call routing (E.164 is out of scope), do we > >>>> really need to > >>>>> care > >>>>>>> about that? An AoR in the end will be translated to an > >>>> IP address, > >>>>> and > >>>>>>> IP addresses have a very good definition of public and > >>>> private (in > >>>>> IPv4 > >>>>>>> and IPv6). > >>>>>> > >>>>>> I don't understand fully what you mean. An AoR is only fully > >>>>> "translated" > >>>>>> to an IP Address (and really to a contact URI) by the > >>>> AoR's domain. > >>>>> So > >>>>>> what > >>>>>> you're saying is if the AoR's user-part represents a > >>>> consumer behind a > >>>>>> home > >>>>>> NAT (a private IP), then it is a private AoR; but for > >>>> those consumers > >>>>> who > >>>>>> don't use home-NATs then it's a public AoR? > >>>>> [[Reinaldo]] > >>>>> > >>>>> Hello, > >>>>> > >>>>> Actually I'm trying to understand the whole purpose of the > >>>> discussion, > >>>>> that's why I gave that example. I was trying to understand why > > it > >>>>> matters, before getting knee deep into the classification. > >>>> Can someone > >>>>> refresh that for me? > >>>>> > >>>>> So, if SIP peering is going to get woven into the fabric of the > >>>>> internet, the rules for domains names, DNS resolution, private > > vs. > >>>>> public IP address, etc should apply, right? > >>>>> > >>>>> I believe the current model of host to host or email > >>>> communication is > >>>>> not different for SIP. We could have the following main > >>>>> situations...(correct me where I'm wrong). > >>>>> > >>>>> 1) The AoR (just like a traditional domain name or email), > >>>> in the end > >>>>> will get resolved into an IP address. Then there are only two > >>>>> situations. > >>>>> > >>>>> a) the IP address is private (RFC 1918). > >>>>> > >>>>> This means the SIP endpoint is unreachable unless you > >>>> are also in the > >>>>> same private network. Actually I believe a private IP address > > cannot > >>>>> even be provisioned in a public DNS. > >>>>> > >>>>> Before somebody mentions it...for a UA behind a NAT to > >>>> be reachable, > >>>>> he/she needs a public NAT binding so that a session > >>>> _initiated_ from the > >>>>> public side can be made to him/her. > >>>>> > >>>>> b) the IP address is public. > >>>>> > >>>>> The SIP endpoint is theoretically reachable. > >>>>> > >>>>> 2) The AoR cannot get translated. Again, just like the > >>>> Internet we have > >>>>> today, this means the domain name/user is private, does not > >>>> exist, etc > >>>>> > >>>>> All this has been happening okay with just a few basic > >>>> rules. If an AoR > >>>>> is very similar to an email address, why it would not work with > > the > >>>>> current infrastructure/definitions? > >>>>> > >>>>> If somebody says that they have a "private" email address or > > domain > >>>>> name, what is your interpretation of that? > >>>>> > >>>>> Regards, > >>>>> > >>>>> Reinaldo > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> And if the AoR gets > >>>>>> translated > >>>>>> into an IP by a registrar inside a private IP subnet, and > >>>> somehow it > >>>>> later > >>>>>> gets translated into the public IP address space, that's > >>>> also private > >>>>>> because the AoR was translated to a private IP originally? > >>>>>> > >>>>>> Or maybe you mean what the domain part of the AoR resolves to? > >>>>>> > >>>>>>> For you to be "SIP reachable", you need to be IP > >>>> reachable first, > >>>>> let's > >>>>>>> not forget about that. And if you are IP reachable, you > > could > >>>>>>> potentially be SIP reachable by registering to some > >>>> free SIP service > >>>>> (or > >>>>>>> the SIP "domain" above you in the hierarchy...if this was > > the > >>>>> email/DNS > >>>>>>> model). > >>>>>> > >>>>>> Actually, to be very specific ultimate target of the AoR > >>>> can be "sip > >>>>>> reachable" but not IP reachable. But I think for now we > >>>> should ignore > >>>>> the > >>>>>> implications of that, unless it becomes a problem. > >>>>>> > >>>>>> -hadriel > >>>>> > >>>>> _______________________________________________ > >>>>> Speermint mailing list > >>>>> Speermint@ietf.org > >>>>> https://www1.ietf.org/mailman/listinfo/speermint > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Speermint mailing list > >>>>> Speermint@ietf.org > >>>>> https://www1.ietf.org/mailman/listinfo/speermint > >>>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Speermint mailing list > >>>> Speermint@ietf.org > >>>> https://www1.ietf.org/mailman/listinfo/speermint > >>>> > >>> > >>> _______________________________________________ > >>> Speermint mailing list > >>> Speermint@ietf.org > >>> https://www1.ietf.org/mailman/listinfo/speermint > >> > >> _______________________________________________ > >> Speermint mailing list > >> Speermint@ietf.org > >> https://www1.ietf.org/mailman/listinfo/speermint > > > > _______________________________________________ > > Speermint mailing list > > Speermint@ietf.org > > https://www1.ietf.org/mailman/listinfo/speermint _______________________________________________ Speermint mailing list Speermint@ietf.org https://www1.ietf.org/mailman/listinfo/speermint
- [Speermint] NATs and Firewalls Stastny Richard
- RE: [Speermint] NATs and Firewalls Malas, Daryl
- [Speermint] RE: NATs and Firewalls Hadriel Kaplan
- [Speermint] Re: NATs and Firewalls Stastny Richard
- [Speermint] RE: NATs and Firewalls Hadriel Kaplan
- [Speermint] RE: NATs and Firewalls Patrick Melampy
- RE: [Speermint] NATs and Firewalls Drage, Keith (Keith)
- Re: [Speermint] NATs and Firewalls Spencer Dawkins
- RE: [Speermint] NATs and Firewalls Patrick Melampy
- Re: [Speermint] RE: NATs and Firewalls Jonathan Rosenberg
- Re: [Speermint] NATs and Firewalls Spencer Dawkins
- RE: [Speermint] NATs and Firewalls Peter Macaulay
- RE: [Speermint] NATs and Firewalls Michael Hammer (mhammer)
- RE: [Speermint] NATs and Firewalls Khan, Sohel Q [CTO]
- RE: [Speermint] RE: NATs and Firewalls Hadriel Kaplan
- RE: [Speermint] NATs and Firewalls Malas, Daryl
- RE: [Speermint] NATs and Firewalls Uzelac, Adam
- RE: [Speermint] NATs and Firewalls Medhavi Bhatia
- RE: [Speermint] NATs and Firewalls Malas, Daryl
- RE: [Speermint] RE: NATs and Firewalls Khan, Sohel Q [CTO]
- RE: [Speermint] NATs and Firewalls Hadriel Kaplan
- RE: [Speermint] NATs and Firewalls Hadriel Kaplan
- RE: [Speermint] NATs and Firewalls Hadriel Kaplan
- Re: [Speermint] NATs and Firewalls Stastny Richard
- RE: [Speermint] NATs and Firewalls Reinaldo Penno
- RE: [Speermint] NATs and Firewalls Reinaldo Penno
- RE: [Speermint] NATs and Firewalls Medhavi Bhatia
- RE: [Speermint] NATs and Firewalls Uzelac, Adam
- RE: [Speermint] NATs and Firewalls Reinaldo Penno
- Re: [Speermint] NATs and Firewalls Marshall Eubanks
- RE: [Speermint] NATs and Firewalls Reinaldo Penno
- Re: [Speermint] NATs and Firewalls Marshall Eubanks
- RE: [Speermint] NATs and Firewalls Hadriel Kaplan
- RE: [Speermint] NATs and Firewalls Hadriel Kaplan
- RE: [Speermint] NATs and Firewalls Medhavi Bhatia
- RE: [Speermint] NATs and Firewalls Stastny Richard
- RE: [Speermint] NATs and Firewalls Hadriel Kaplan