> On Dec 14, 2015, at 4:14 PM, Alexey Eromenko <al4321@xxxxxxxxx> wrote: > > Now, if we want to protect vs. data mangling by middleboxes, we need > to look not only at switches, but also at NAT Routers (including cheap > home routers, and load-balancers) -- those *can* mangle any TCP data, > and compute the wrong checksum there ! I’d like to be idealistic here, but the problem is fairly catastrophic and widespread. Things like UDP/5060 are badly mangled by ALG, including my favorite that you can remotely reboot many of the AT&T Uverse boxes by sending them SIP frames for devices through their ALG/NAT44. Most home gateways have some broken ALG that actually makes things worse, including when Cisco originally implemented SIP ALG and broke the original Apple “iChat A/V” SIP messages from working properly. The workarounds we’ve been slowly moving to is shifting services to alternate ports that aren’t damaged by these transparent and helpful devices. Our instructions to users say “Turn off SIP-ALG” in your device, but things like the carrier provided devices don’t expose these options depending on the hardware revision, or just plain forget they have an internal interface for SIP traffic and when you send them a check-config NOTIFY they consume it themselves and crash/reboot. I tried to report these problems, and captured many others when doing the OpenResolverProject scans, including NATs that spoofed the source address to their ALG-DNS ports/servers. Middle boxes are a giant unmitigated disaster of mostly consumer or carrier provided devices that undergo zero testing and are part of what I’ve dubbed the “IoT” (Internet of Trash) which will never be upgraded or be administered. What you have instead is everyone performing an effective overlay or plain VPN around these devices that damage traffic. - jared