Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [nemo] Re: [Mip4] NAT traversal and cellular network administrative filtering

Sami,
 
I am not T-mobile :)
 
It is becoming a trend when providers look for data revenues, service selection
mechanisms are being deployed to distinguish/charge the byte usages and perform authorizations. 
 
The Idea to block IP-IP is not the right way to combat worms :) a deep inspection is.
 
I am curious which service plan iVincic was referring to and whether T-mobile blocks all IP-IP in 
all different data plans
 
 
Qiang
 
 
Alexandru,

It may be the case that operator forbids IP-IP because IP-IP has the
potential to deny the effectiveness of all other firewall filtering
rules that may be in place (rules acting on IP, not IP-in-IP - acting on
IP-in-IP requires more processing time which may be detrimental to
performance).


Not only processing time, but depending on the firewall architecture
it may be easy, hard, or impossible to peer into IP-IP (or IP-IP-IP,
IP-over-PPP-over-L2TP etc).In this sense, IP-IP may "escape" the normal
policy mechanism.

On the other hand you need a remote IP-IP endpoint for decapsulation,
and if you have that, you may escape the normal policy anyway by using
any of the dozen available tunneling tools out there.

At the same time, operator may allow certain UDP tunneling to pass
through because that operator may have agreements with Content Providers
that are placed outside that operator's network.  "Content" may be video
streaming over UDP.  So operator assumes that UDP mms port 1755
(Microsoft Multimedia Streaming) should pass through, and keeps it open.
> 
Just a potential explanation, and it's pure speculation, and it may be
far from the actual motivation of T-Mobile filtering rules.


Right.  It may well be that operator X (in general) may want to block
IP-IP but is accidentally letting IP-over-UDP pass because of lacking
support in firewalls to prevent it.  Bypassing that policy using forced
UDP encapsulation is not necessarily very nice (from the operator's
viewpoint), but we lack the common tools to let the operator make this
policy decision.

However, in this case it seemed to me that the effects on normal MIP4
were a side-effect of a response to a perceived threat, not a deliberate
policy to block MIP4.

Best,

-Sami

--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www1.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/            
-- 
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www1.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.