Re: [Mip4] NAT traversal and cellular network administrative filtering

To: ivancic <wivancic at grc.nasa.gov>
Subject: Re: [Mip4] NAT traversal and cellular network administrative filtering
From: Sami Vaarala <sami.vaarala at iki.fi>
Date: Sun, 13 Mar 2005 12:05:33 +0200
Cc: nemo <nemo at ietf.org>, mip6 at ietf.org, mip4 at ietf.org, hip at ietf.org
In-reply-to: <4231EC62.3050800@grc.nasa.gov>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <4231EC62.3050800@grc.nasa.gov>
Reply-to: sami.vaarala at iki.fi
Sender: mip4-bounces at ietf.org
User-agent: Debian Thunderbird 1.0 (X11/20050116)

Hi,

> [...]

Sprint and Verizon may have recently started administratively filtering data – similar result as NATing even though you have unchanged public address space. One way to cope with this is UDP-in-IP tunneling, the same as with NAT traversal code.

NOTE: Depending on the implementation, you may have to force UDP tunneling, because the address is not changing (CoA and actual address). Thus, there is no easy way to auto-sense that you are getting administratively filtered. I suspect this will break a lot of implementations for NAT traversal – as this really isn’t NAT traversal, but “weak” firewall traversal.


This is certainly an unfortunate development :(  Although networks with
such restrictions weren't common at the time, the 'F' (force UDP
tunnelling) flag was added to the MIP4 NAT-T spec specifically to
deal with such restrictions.  (However, I'm quite sure this level of
paranoia isn't enough, but it hasn't bitten us yet :-)

Since the 'F' flag is part of the core NAT-T spec, MIP4 should be OK
as long as mobile nodes expose the standard UDP forcing mechanism.
Indeed, at least a few vendors made UDP tunnelling the default simply
to avoid irritating blackhole situations which you point to.

I spoke to T-Mobile when this first started happening (actually found the right person). They said that the filtering was put into place to eliminate worms probing the networks. The filtering was done no so much for security as to protect the valuable RF bandwidth. T-Mobile is GPRS

> [...]

I'm curious - given the scenario where public addresses are used and
IP-IP doesn't work, why does IP-over-UDP work better?

With UDP encapsulation the MN RRQ/RRP process will establish firewall
state, while with IP-IP the state is established only after the first
(reverse tunneled) data packet.  Is this the problem?  I.e. the MN does
not have traffic to send but needs to be reachable from external
addresses (without corresponding IP-IP state)?  Or is it the case that
IP-IP state is not tracked as accurately as UDP state?

Best regards,

-Sami
--
Sami Vaarala
Chief Technology Officer
Stinghorn  (http://www.stinghorn.com)
Secure Virtualized Software

--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www1.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Follow-Ups:
- Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
  - From: Alexandru Petrescu

References:
- [Mip4] NAT traversal and cellular network administrative filtering
  - From: ivancic

Prev by Date: [Mip4] NAT traversal and cellular network administrative filtering
Next by Date: Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
Previous by thread: [Mip4] NAT traversal and cellular network administrative filtering
Next by thread: Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
Index(es):
- Date
- Thread

Re: [Mip4] NAT traversal and cellular network administrative filtering

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.