Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering

To: Alexandru Petrescu <Alexandru.Petrescu at motorola.com>
Subject: Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
From: Sami Vaarala <sami.vaarala at iki.fi>
Date: Mon, 14 Mar 2005 16:05:54 +0200
Cc: ivancic <wivancic at grc.nasa.gov>, mip4 at ietf.org
In-reply-to: <42358C38.7050608@motorola.com>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
References: <4231EC62.3050800@grc.nasa.gov> <4234106D.1030301@iki.fi> <42358C38.7050608@motorola.com>
Reply-to: sami.vaarala at iki.fi
Sender: mip4-bounces at ietf.org
User-agent: Debian Thunderbird 1.0 (X11/20050116)

Alexandru,

It may be the case that operator forbids IP-IP because IP-IP has the
potential to deny the effectiveness of all other firewall filtering
rules that may be in place (rules acting on IP, not IP-in-IP - acting on
IP-in-IP requires more processing time which may be detrimental to
performance).


Not only processing time, but depending on the firewall architecture
it may be easy, hard, or impossible to peer into IP-IP (or IP-IP-IP,
IP-over-PPP-over-L2TP etc).In this sense, IP-IP may "escape" the normal
policy mechanism.

On the other hand you need a remote IP-IP endpoint for decapsulation,
and if you have that, you may escape the normal policy anyway by using
any of the dozen available tunneling tools out there.

At the same time, operator may allow certain UDP tunneling to pass
through because that operator may have agreements with Content Providers
that are placed outside that operator's network.  "Content" may be video
streaming over UDP.  So operator assumes that UDP mms port 1755
(Microsoft Multimedia Streaming) should pass through, and keeps it open.

>

Just a potential explanation, and it's pure speculation, and it may be
far from the actual motivation of T-Mobile filtering rules.


Right.  It may well be that operator X (in general) may want to block
IP-IP but is accidentally letting IP-over-UDP pass because of lacking
support in firewalls to prevent it.  Bypassing that policy using forced
UDP encapsulation is not necessarily very nice (from the operator's
viewpoint), but we lack the common tools to let the operator make this
policy decision.

However, in this case it seemed to me that the effects on normal MIP4
were a side-effect of a response to a perceived threat, not a deliberate
policy to block MIP4.

Best,

-Sami

--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www1.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

References:
- [Mip4] NAT traversal and cellular network administrative filtering
  - From: ivancic
- Re: [Mip4] NAT traversal and cellular network administrative filtering
  - From: Sami Vaarala
- Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
  - From: Alexandru Petrescu

Prev by Date: Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
Next by Date: [Mip4] RE: [Mip6] NAT traversal and cellular network administrative filtering
Previous by thread: Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
Next by thread: PLAYSTATION2 is yours to keep pending participation ctmx
Index(es):
- Date
- Thread

Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.