ext Melinda Shore wrote: > On 7/31/07 4:09 AM, "Aki Niemi" <aki.niemi@xxxxxxxxx> wrote: >> Continuing on something heard at the technical plenary last week. There >> were people complaining that while protocols like STUN/TURN and ICE are >> traversing NAT, they are in fact bypassing firewall policies, which they >> should not be doing. > > I think it's more complicated than that. > 1) there were complaints about the difficulties caused > specifically by firewalls (apart from NATs) > 2) Eric said that the IETF is producing firewall traversal > protocols like ICE > 3) I pointed out that ICE is a NAT traversal protocol, not > a firewall traversal protocol, and that a key functional > difference is that NATs don't really do policy (beyond > address policy) while firewalls are specifically policy > devices. > > Where I think we differ is in what we think firewalls ought > to do. While the default policy of a residential firewall > probably should be something along the lines of "keep > unsolicited traffic out," enterprise policies tend to be and > should be a lot richer. True, therefore it's not a good idea to group all firewalls together. You draw a distinction between a NAT and a firewall; I would take this further and draw a distinction between a NAT, a stateful firewall (a close relative to NAT) and a stateless firewall (e.g., an enterprise firewall). > STUN and ICE effectively work by side-effect, creating NAT > table mappings simply by passing data across the NAT. In the > firewall case you really must allow the firewall the possibility > to say "no," and you should give the firewall the data it > needs to make an informed decision. That data might include > application identification, user credentials - whatever > information is used as the basis for a policy decision. It's > also nice if you're able to tell the application that its > request has been denied so that it can fail and/or recover > gracefully. While I agree that interacting with an enterprise firewall is probably best done with an explicit control interface -- one where credentials can be issued and authorization policies enforced -- I don't think it necessarily means all firewalls are best handled this way. In fact, ICE by default won't help you with the enterprise firewall, but it's exactly the tool to use for the stateful firewall on a home router box. Then again, if the enterprise so chooses, it could indeed deploy TURN as this explicit control interface, rather than the SBC-type box typically used today. ICE could accommodate this as well. > I also think the assumption that any media flows across a > firewall ought to be allowed is questionable, but that's a > somewhat different matter. Again, depends on the firewall. In an enterprise this might not be a reasonable assumption, but on the typical home router box, I very much doubt whether it makes any difference if the flow carries VoIP or internet radio streaming or a webcam feed. Why do you think it does? Cheers, Aki _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf