[nemo] RE: [Mip6] NAT traversal and cellular network administrative filtering
john.loughney@nokia.com Mon, 14 March 2005 06:40 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA24745 for <nemo-archive@lists.ietf.org>; Mon, 14 Mar 2005 01:40:26 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DAjC1-0005xp-W4; Mon, 14 Mar 2005 01:36:46 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DAj5l-0005LF-8M; Mon, 14 Mar 2005 01:30:17 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA23898; Mon, 14 Mar 2005 01:30:16 -0500 (EST)
From: john.loughney@nokia.com
Received: from mgw-x3.nokia.com ([131.228.20.26]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DAj9J-00015Z-FN; Mon, 14 Mar 2005 01:33:58 -0500
Received: from esdks004.ntc.nokia.com (esdks004.ntc.nokia.com [172.21.138.159]) by mgw-x3.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j2E6U3o26371; Mon, 14 Mar 2005 08:30:05 +0200 (EET)
X-Scanned: Mon, 14 Mar 2005 08:29:12 +0200 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks004.ntc.nokia.com (8.12.9/8.12.9) id j2E6TCbJ002599; Mon, 14 Mar 2005 08:29:12 +0200
Received: from mgw-int2.ntc.nokia.com (172.21.143.97) by esdks004.ntc.nokia.com 004O5NRH; Mon, 14 Mar 2005 08:29:11 EET
Received: from esebh002.NOE.Nokia.com (esebh002.ntc.nokia.com [172.21.138.77]) by mgw-int2.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j2E6TAU15130; Mon, 14 Mar 2005 08:29:10 +0200 (EET)
Received: from esebe016.NOE.Nokia.com ([172.21.138.55]) by esebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Mon, 14 Mar 2005 08:28:42 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebe016.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Mon, 14 Mar 2005 08:28:41 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Mar 2005 08:28:40 +0200
Message-ID: <FBA7FB88A51E804BA4A111CDFD2DE638603F2C@esebe105.NOE.Nokia.com>
Thread-Topic: [Mip6] NAT traversal and cellular network administrative filtering
thread-index: AcUnCEWFWpn9HASgRyqZhxMaMNcDnwBVqKhA
To: wivancic@grc.nasa.gov, mip4@ietf.org, mip6@ietf.org, nemo@ietf.org, hip@ietf.org
X-OriginalArrivalTime: 14 Mar 2005 06:28:41.0062 (UTC) FILETIME=[10502860:01C5285F]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 944ecb6e61f753561f559a497458fb4f
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Mon, 14 Mar 2005 01:36:44 -0500
Subject: [nemo] RE: [Mip6] NAT traversal and cellular network administrative filtering
X-BeenThere: nemo@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NEMO Working Group <nemo.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nemo>, <mailto:nemo-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nemo@ietf.org>
List-Help: <mailto:nemo-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nemo>, <mailto:nemo-request@ietf.org?subject=subscribe>
Sender: nemo-bounces@ietf.org
Errors-To: nemo-bounces@ietf.org
Content-Transfer-Encoding: quoted-printable
Hi Will, Just as an FYI - 3GPP2 is starting to work on firewall signaling: http://www.ietf.org/internet-drafts/draft-bajko-nsis-fw-reqs-00.txt This is meant so that terminals could selectively open or close firewall pinholes, so this could potentially help with this issue. John > -----Original Message----- > From: mip6-bounces@ietf.org [mailto:mip6-bounces@ietf.org]On Behalf Of > ext ivancic > Sent: 11 March, 2005 21:07 > To: mip4@ietf.org; mip6@ietf.org; nemo; hip@ietf.org > Subject: [Mip6] NAT traversal and cellular network administrative > filtering > > > Please excuse the cross-post. > > This week I sat in 4 IETF sessions that all where discussing very > similar, if not the same, problem of NAT traversal. HIP, MIP6 > and NEMO > where generally discussing 6 to 4 tunneling issues and the need to > address NATs. MIP4 was not concerned with 6 to 4 tunneling, just NAT > traversal in general. > > I have used Cisco’s mobile networking MIP4 code with NAT > traversal and > Cisco’s (draft-thubert-nemo-ipv4-traversal-01 - expired) Doors 6 to 4 > UDP-base tunneling NAT traversal code. > > Both work, but here is something to be aware of. About 18 > months ago we > noticed T-Mobile began administratively filtering traffic. The end > result is that traffic that does not originate from the > T-Mobile network > gets blocked. They appear to be using ports to map the traffic. Thus, > and IP-in-IP tunnel gets blocked even though the initial traffic came > from within T-Mobile’s network (no ports to map to for IP-in-IP > tunnels). UDP tunnels operate over this. That is why we used > T-Mobile’s > links for an mobile-ipv6 demonstration. The Doors > implementation could > handle this. > > (See: > http://roland.grc.nasa.gov/~ivancic/ICNS2004_Demo/ICNS2004_Demo.htm) > > Sprint and Verizon may have recently started administratively > filtering > data – similar result as NATing even though you have unchanged public > address space. One way to cope with this is UDP-in-IP tunneling, the > same as with NAT traversal code. > > NOTE: Depending on the implementation, you may have to force UDP > tunneling, because the address is not changing (CoA and > actual address). > Thus, there is no easy way to auto-sense that you are getting > administratively filtered. I suspect this will break a lot of > implementations for NAT traversal – as this really isn’t NAT > traversal, > but “weak” firewall traversal. > > I spoke to T-Mobile when this first started happening (actually found > the right person). They said that the filtering was put into place to > eliminate worms probing the networks. The filtering was done > no so much > for security as to protect the valuable RF bandwidth. > T-Mobile is GPRS > and you really get somewhere around 30 kbps in practice. Sprint and > Verizon are 1xRTT and get around 40 to 60 kbps in practice. > Thus, worms > were starting to effect the usable bandwidth and QoS – or at > least that > was the fear. Thus, I agree with their security > implementations as the > reasoning appears valid. > > See this URL for the T-Mobile problem: > http://roland.grc.nasa.gov/~ivancic/t-mobile > <http://roland.grc.nasa.gov/%7Eivancic/t-mobile> > http://roland.grc.nasa.gov/~ivancic/t-mobile/Letter_Customer_S ervice.pdf <http://roland.grc.nasa.gov/%7Eivancic/t-mobile/Letter_Customer_Service.pdf> http://roland.grc.nasa.gov/~ivancic/t-mobile/administrative_filtering.pdf <http://roland.grc.nasa.gov/%7Eivancic/t-mobile/administrative_filtering.pdf> NATs breaks a lot of things. Security breaks the rest! J Will Ivancic _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www1.ietf.org/mailman/listinfo/mip6
- [nemo] NAT traversal and cellular network adminis… ivancic
- Re: [nemo] NAT traversal and cellular network adm… Alexandru Petrescu
- [nemo] Re: [Mip4] NAT traversal and cellular netw… Sami Vaarala
- [nemo] RE: [Mip6] NAT traversal and cellular netw… john.loughney
- RE: [nemo] NAT traversal and cellular network adm… Pascal Thubert (pthubert)
- Re: [nemo] NAT traversal and cellular network adm… Alexandru Petrescu
- [nemo] Nemo IPv4 network Traversal Brijesh Kumar
- RE: [nemo] NAT traversal and cellular network adm… Pascal Thubert (pthubert)