Re: firewall and NAT I-D available
Jiri Kuthan <kuthan@fokus.gmd.de> Thu, 09 March 2000 22:38 UTC
Received: from lists.research.bell-labs.com (paperless.dnrc.bell-labs.com [135.180.161.172]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA19473 for <sip-archive@odin.ietf.org>; Thu, 9 Mar 2000 17:38:08 -0500 (EST)
Received: by lists.research.bell-labs.com (Postfix) id 839F352AB; Thu, 9 Mar 2000 17:35:24 -0500 (EST)
Delivered-To: sip-outgoing-local@paperless.dnrc.bell-labs.com
Received: by lists.research.bell-labs.com (Postfix, from userid 20006) id EDD3E52B6; Thu, 9 Mar 2000 17:35:23 -0500 (EST)
Delivered-To: sip-local@paperless.dnrc.bell-labs.com
Received: from scummy.research.bell-labs.com (guard.research.bell-labs.com [135.104.2.10]) by lists.research.bell-labs.com (Postfix) with SMTP id F40D752AB for <sip@lists.research.bell-labs.com>; Thu, 9 Mar 2000 17:35:06 -0500 (EST)
Received: from dusty.research.bell-labs.com ([135.104.2.7]) by scummy; Thu Mar 9 17:33:56 EST 2000
Received: from mailhub.fokus.gmd.de ([193.174.154.14]) by dusty; Thu Mar 9 17:31:20 EST 2000
Received: from fokus.gmd.de (jobe [193.175.132.219]) by mailhub.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id XAA03011; Thu, 9 Mar 2000 23:32:45 +0100 (MET)
Message-ID: <38C826CE.A061C6F0@fokus.gmd.de>
Date: Thu, 09 Mar 2000 23:33:50 +0100
From: Jiri Kuthan <kuthan@fokus.gmd.de>
Organization: GMD Fokus
X-Mailer: Mozilla 4.72 [en] (X11; U; SunOS 5.5.1 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Cc: sip@lists.research.bell-labs.com, foeckel@fokus.gmd.de
Subject: Re: firewall and NAT I-D available
References: <38B38A82.E9D934CD@dynamicsoft.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-sip@lists.research.bell-labs.com
Precedence: bulk
Content-Transfer-Encoding: 7bit
Jonathan,
draft-rosenberg-sip-firewalls is a very useful I-D that covered
a big gap successfully.
Some points follow that I have discussed with my colleagues recently.
(The conclusion is that a kind of firewall control protocol is
needed. Initial requirements are described in a separate I-D.)
1) You suggest using SOCKS (Section 5) as a possible alternative for
"Firewall Control Protocol" (FCP). I am not sure SOCKS will help
even without NAT.
The discussed scheme looks like this:A packet filter implements
'default-deny' policy which explicitly permits traffic from and
to SIP Proxy (ALG in generic terms). The SIP Proxy is in charge
of opening pinholes in the packet filters during a SIP session.
SIP
SIP +---------+_____________ |
________|SIP Proxy| \ |
/ +---------+.. +----+---------------+
| : | |
| : FCP +-----+------------+ |
| :...........| FCP | Filtering | |
| FTP +---------+.............| unit| Rules Table| |
| _____|FTP Proxy|_____________+-----+------------+ |
| / +---------+ | Packet Filter |
| | -----| |
+-----------+ / +----+---------------+
+-----------+| data streams / |
+-----------+||----------------/ |
|end-devices|| (RTP, ftp-data, etc.) |
+-----------+ |
|
Inside | Outside
With SOCKS, there is a UDP relayer which is most likely colocated
with the packet filter to avoid introducing an additional hop
along the data path. Then, the SIP Proxy needs to instruct the
UDP relayer to receive incoming media streams. Unfortunately,
SOCKS V5 does not allow to bind to publicly available *UDP*
ports and receive at it. (The same problem applies if the end
devices communicate with SOCKS server on their own.) Some
documentation at www.socks5.com claims this is/will be fixed
in V6. You could fix it by issuing a "UDP ASSOCIATE" command
that would permit streams going to receivers address. This would
possibly require the sender to be SOCKS-aware and encapsulate UDP
packets in SOCKS wrappers; at least this is how I understand RFC
1928 saying "Each UDP datagram carries a UDP request header with
it."
I also guess, that even if SDP included sender's port number there
would be no way to communicate them to SOCKS server.
2) The scheme above implies many filtering rules, at least compared
to numbers common today. This may have performance implications.
I would suggest including a "performance issues" section which
states this problem. Briefly: too may rules->rule lookup
computationaly expensive->increased packet latency. Algorithm
allowing for fast lookup in big frequently changing flow tables
are needed. These issues have been researched intensively, for
example in:
[1] A. Feldmann, S. Muthukrishnann: Tradeoffs for Packet
Classification.
In Proc. IEEE INFOCOM 2000, 2000.
[2] V. Srinivasan, S. Suri, G. Varghese: PAcket Classification Using
Tuple Space Search. In Proc. ACM SIGCOMM '99, 1999.
[3] P. Gupta, N. McKeown: Packet Classification on Multiple Fields.
In Proc. ACM SIGCOMM '99, 1999.
3) I guess it would be useful to say explicitly that a SIP proxy
controlling
a firewall needs to keep state during the entire session in order to
be able to close appropriate pinholes on session termination. (This
probably belongs to the last paragraph in Section 5, if I did not
overlook it somewhere else.)
4) My understanding of Section 6.6 is you assume hard-state filtering
rules in packet filters and tearing them down by SIP proxies.
I would say that the expiry timeout should tick where the state
resides. The packet filter could maintain timeouts on its own,
possibly giving ALGs chance to set up the expiration time, because
ALGs understand best how long period is appropriate to specific
applications. SIP proxy may then simply translate
SIP keep-alive-messages into filtering-rule-keep-alive-messages. It
works in case of UA as well es proxy (which is stateful, see point 3)
failure.
5) Summary: there is no existing applicable protocol for firewall
control. This protocol is needed to allow ALGs to reside out of
packet
filters. Which is, IMHO, desirable since it allows to reuse existing
logic sitting in ALGs (SIP proxies) and relieves *packet* filters
from
performing application filtering. We need to summarize requirements
for
firewall control protocol and see if there is an existing protocol we
could reuse (e.g. extended SOCKS, or SNMP with a "packet filter MIB"
or
whatever).
I made an attempt to capture the basic requirements and submitted it
as draft-kuthan-fcp-00.txt. Until it appears in IETF directories it
is
available at
http://www.fokus.gmd.de/research/cc/glone/employees/jiri.kuthan/private/draft-kuthan-fcp-00.txt
Unfortunately, I will be off-line and not able to join discussion
before March 21st.
Jiri
Jonathan Rosenberg wrote:
>
> Folks,
>
> Some colleagues and I have written and Internet Draft on getting SIP
> through firewalls and NATs. It discusess the various configurations and
> problems, and describes in detail the processing required to get things
> working. The draft should appear in the archives shortly. Until it does,
> you can pick up a copy at:
>
> http://www.cs.columbia.edu/~jdrosen/papers/draft-rosenberg-sip-firewalls-00.txt
>
> Thanks,
> Jonathan R.
> --
> Jonathan D. Rosenberg 200 Executive Drive
> Chief Scientist Suite 120
> dynamicsoft West Orange, NJ 07052
> jdrosen@dynamicsoft.com FAX: (732) 741-4778
> http://www.cs.columbia.edu/~jdrosen PHONE: (732) 741-7244
> http://www.dynamicsoft.com
--
Jiri Kuthan Phone: +(49) / 30 - 3463 7 271
GMD FOKUS Fax : +(49) / 30 - 3463 8 271
Kaiserin-Augusta-Allee 31 E-Mail : kuthan@fokus.gmd.de
D-10589 Berlin, Germany WWW : http://www.fokus.gmd.de/usr/kuthan
- Re: firewall and NAT I-D available Jiri Kuthan
- firewall and NAT I-D available Jonathan Rosenberg