Hi Dan, On 28.09.2011 23:28, Dan Wing wrote: > ALGs are harmful and the NAT industry has over a decade experience > that shows ALGs are harmful. ALGs have prevented proper operation > of SIP, FTP, and a variety of other protocols. The more complex > a protocol, the more likely an ALG interferes with the complex > protocol -- rather than helping it. This is because the ALG makes > naive assumptions of message flows and interfere with advanced > functions the protocol would like to do.
I know that very well, because I've attended your excellent tutorial at some IETF meeting in the past. :-) > An ALG also requires unencrypted communications (so the application > can be examined) and, if the application payload is supposed to be > modified, also requires using no integrity checking. That means > the entire system has a greater attack surface just to allow the > ALG to examine and to modify the packets in transit. > An ALG also complicates upgrading protocols. Protocol changes have > to be done so they remain compatible with the remote system (always > a requirement) as well as with the ALG (which is a requirement because > of the ALG). This increases the complexity to the protocol, especially > as the ALGs, themselves, evolve and have their own bugs fixed, but > are not proper, signaled elements in the architecture. Agreed, but I think that the case of NAT-ALGs is a little bit different as they try to be transparent to the end-hosts. We think more of a security gateway/proxy architecture, where the existence of the proxy is explicitly modeled, e.g., use an HTTP proxy for web access. Sure, not all protocols allow the use of proxies. Please note, that a car's onboard network is a very different use case than hosts operating in the open public Internet. We need a very secure solution in order to guarantee the safety of the car and the passengers. Which internal devices communicate externally is usually well-known in advance. Though a good point is that the protocols on the remote side may change and that you have to adapt to the changes. In some cases when using the proxy architecture, maybe only the proxy has to be upgraded, not the internal devices, in other cases maybe the proxy in addition to the internal devices, which increases the complexity. Regards, Roland -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
