IPfilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Comments on NAT RFC - 4787

from [james woodyatt] [Permanent Link][Original]
To: ipfilter@coombs.anu.edu.au
Subject: Re: Comments on NAT RFC - 4787
From: james woodyatt <jhw@apple.com>
Date: Tue, 6 Feb 2007 15:54:21 -0800
Delivered-to: sp-com-lists@consult.net
Delivered-to: ipfilter-list@securepoint.com
In-reply-to: <200702062233.l16MXev27354@carus.anu.edu.au>
References: <200702062233.l16MXev27354@carus.anu.edu.au>
Sender: owner-ipfilter@coombs.anu.edu.au 
On Feb 6, 2007, at 14:33, Darren Reed wrote:


A new RFC has been published with requirements for NATs:

http://www.rfc-editor.org/rfc/rfc4787.txt

Which requirements do people think are important to IPFilter,
where they actually apply?
I wish I had seen this RFC while it was still in draft form, and while I could have argued with the authors about it.
p1. I think the recommendation in REQ-4 is a poor strategy for solving the basic problem. Rather, NAT devices should just implement a decent ALG for RTSP and RTP sessions. Anything less is really silly, if you ask me.
p2. I think the requirement in REQ-7(1) is a bad idea, and I think REQ-7(2) is fraught with ill-considered peril. I very much doubt that REQ-7 will ever be met in practice with a reasonable implementation of REQ-7(2), i.e. twice-NAT, and the requirement in REQ-7(1) implies that the "internal" network (bad terminology there) has to be renumbered whenever a change in the dynamically assigned external addresses causes a conflict. I'm opposed to REQ-7 altogether, and I don't see it as a "best current practice" at all. IPFilter should give it a raspberry.
p3. I think REQ-8 looks like the result of a typical IETF clustergrope. A more sensible draft would simply say that filtering and translation are orthogonal problems. I would have left out section 5 altogether, and I'm disappointed that the IAB didn't react to this language about "a more stringent filtering behavior" being "most important" by whipping on its big, steel-toed jackboots and curb-stomping its authors like narcs at a biker rally. Application transparency is the only thing that's important in NAT behavior. Full stop. Next question.
p4. I think REQ-9 is under-specified. It really needs explicit language to require proper translation of ICMP error responses.
p5. I think REQ-10 is a joke^H^H^H^H great idea. Thank you for the recommendations. I will bring them up in my next meeting with the user interface specialists in our product design department. (Of course, the issue is moot for IPFilter, which already complies.)
p6. I think there are several sections missing, that need to cover what used to be called "basic NAT" translation, i.e. what IPFilter does when you give it a BIMAP rule. It plays hell with "port preservation" and makes "non-determinism" impossible in the presence of "address-dependent" mapping to internal hosts that are not subject to the "basic NAT" translation mapping. 


--
james woodyatt <jhw@apple.com>
member of technical staff
apple computer, inc.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Comments on NAT RFC - 4787, Darren Reed
Next by Date:  Re: Comments on NAT RFC - 4787, Phil Dibowitz
Previous by Thread:  Comments on NAT RFC - 4787, Darren Reed
Next by Thread:  Re: Comments on NAT RFC - 4787, Phil Dibowitz
Indexes:  [Date] [Thread] [Top] [All Lists]