Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
At 12:19 AM 4/10/2009, Rubens Kuhl wrote: On shared media like radio access, every unwanted packet means less performance you will get out of the network. This can be done by NAT, stateful filtering with public IPs or stateless filtering with public IPs; the advantage of doing NAT is making it easier for the end-point software to know that (two ways: noticing your local IP address is from RFC1918 space, or connecting to a server that tells your IP in order to compare it to the local address). As such, GPRS, EDGE, EVDO, HSPA, LTE and Mobile WiMAX services have good reasons to use NAT, and most do. Speaking of unwanted traffic, I was quite surprised how much unwanted traffic I see on my RFC 1918 space thats given out by one of the Canadian telcos-- i.e. this is behind the giant natting firewalls Blocking all inbound traffic and logging to pflog (pcap format) Its full of cruft like this 0[i7]# tcpdump -nr /var/log/pflog | head -2 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) 16:01:09.899554 IP 10.141.184.158.2167 > 10.141.81.113.445: Flags [S], seq 2743613661, win 53760, options [mss 1360,nop,wscale 3,nop,nop,TS[|tcp]> 16:01:10.439516 IP 10.141.184.158.2167 > 10.141.81.113.445: Flags [S], seq 2743613661, win 53760, options [mss 1360,nop,wscale 3,nop,nop,TS[|tcp]> Looking at the pflogs for the last 3 days of just port 445 and 135 scans traffic as well as the odd ping packet 1[i7]# cat pflo* | tcpdump -nr - -w /tmp/scan.pcap port 445 or port 135 or icmp reading from file -, link-type PFLOG (OpenBSD pflog file) tcpdump: pcap_loop: bogus savefile header 1[i7]# tcpstat -r /tmp/scan.pcap -a Bytes/sec = 0.4 B Bytes/minute= 26.2 B Bytes/hour = 1.5 KB Bytes/day = 36.8 KB Bytes/month = 1.1 MB 0[i7]# Hmmm... considering some plans start at 1MB per month ---Mike
RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
That's why you use Teredo - it defeats that sort of simple statefulness, and works. ((SSH'ed from one laptop (WinXP, using MS's Teredo over double-NATed v4 connection) to another laptop (Ubuntu, EVDO, + Miredo) ... although it was pretty slow, it fit my needs at the time.)) For a time, maybe still today?, 6to4 would work as well. That is, the carrier may have been filtering unsolicited TCP/UDP ... but not Protocol41. (Off the top of my head, I forget which providers fell into which side of the ItWorked | ItStillWorks camp) /TJ >-Original Message- >From: Charles Wyble [mailto:char...@thewybles.com] >Sent: Thursday, April 09, 2009 6:09 PM >To: Skywing >Cc: NANOG list >Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? > >Yep verizon does indeed filter all unsolicated inbound traffic to the EVDO >network. It can be a blessing or a curse. :) > >Skywing wrote: >> Verizon filters unsolicited inbound traffic for their EVDO customers in my >experience. >> >> - S >> >> -Original Message- >> From: Roland Dobbins >> Sent: Thursday, April 09, 2009 09:32 >> To: NANOG list >> Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? >> >> >> On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote: >> >>> Please share your thought and thanks in advance :) >> >> No, IMHO. Most broadband operators don't insert firewalls inline in >> front of their subscribers, and wireless broadband is no different. >> >> The infrastructure itself must be protected via iACLs, the various >> vendor-specific control-plane protection mechanisms, and so forth, but >> inserting additional state in the middle of everything doesn't buy >> anything, and introduces additional constraints and concerns. >> >> -- >> - Roland Dobbins // +852.9133.2844 mobile >> >>Our dreams are still big; it's just the future that got small. >> >>-- Jason Scott >> >> >>
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Roland Dobbins wrote: On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote: Please share your thought and thanks in advance :) No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different. Some operators put firewalls to NAT their subscribers into smaller IP address pools (I have put some for a particular one). The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns. Yes.
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On shared media like radio access, every unwanted packet means less performance you will get out of the network. This can be done by NAT, stateful filtering with public IPs or stateless filtering with public IPs; the advantage of doing NAT is making it easier for the end-point software to know that (two ways: noticing your local IP address is from RFC1918 space, or connecting to a server that tells your IP in order to compare it to the local address). As such, GPRS, EDGE, EVDO, HSPA, LTE and Mobile WiMAX services have good reasons to use NAT, and most do. Rubens On Thu, Apr 9, 2009 at 12:48 PM, Lee, Steven (NSG Malaysia) wrote: > Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) > networks have Gi segment (interface between GGSN & IP Router/firewall). Due > to the IP address constraint, operator usually do NAT on the Gi firewall to > NAT the private IP to public IP in the past. Looking at the traffic pattern > and user access behaviour, does it make sense to have firewall between the > GGSN & Public Internet if the public IP addresses are sufficient to cater for > mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future. > > Please share your thought and thanks in advance :) > > Regards, > Steven Lee >
RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Hi Charles/Skywing, is Verizon filter the unsolicated inbound traffic on the firewall or on the border router? Regards, Steven Lee -Original Message- From: Charles Wyble [mailto:char...@thewybles.com] Sent: Friday, April 10, 2009 6:09 AM To: Skywing Cc: NANOG list Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Yep verizon does indeed filter all unsolicated inbound traffic to the EVDO network. It can be a blessing or a curse. :) Skywing wrote: > Verizon filters unsolicited inbound traffic for their EVDO customers in my > experience. > > - S > > -Original Message- > From: Roland Dobbins > Sent: Thursday, April 09, 2009 09:32 > To: NANOG list > Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? > > > On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote: > >> Please share your thought and thanks in advance :) > > No, IMHO. Most broadband operators don't insert firewalls inline in > front of their subscribers, and wireless broadband is no different. > > The infrastructure itself must be protected via iACLs, the various > vendor-specific control-plane protection mechanisms, and so forth, but > inserting additional state in the middle of everything doesn't buy > anything, and introduces additional constraints and concerns. > > --- > Roland Dobbins // +852.9133.2844 mobile > >Our dreams are still big; it's just the future that got small. > >-- Jason Scott > > >
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Yep verizon does indeed filter all unsolicated inbound traffic to the EVDO network. It can be a blessing or a curse. :) Skywing wrote: Verizon filters unsolicited inbound traffic for their EVDO customers in my experience. - S -Original Message- From: Roland Dobbins Sent: Thursday, April 09, 2009 09:32 To: NANOG list Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote: Please share your thought and thanks in advance :) No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different. The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns. --- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Verizon filters unsolicited inbound traffic for their EVDO customers in my experience. - S -Original Message- From: Roland Dobbins Sent: Thursday, April 09, 2009 09:32 To: NANOG list Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote: > Please share your thought and thanks in advance :) No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different. The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns. --- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Hello Steven, There seems to be an underlying assumption to your question - that a firewall exists for Gi traffic only because of the NAT requirement. This is not necessarily a safe assumption to make. The NAT functionality may be needed to conserve IP space but does not take away from the importance of protecting the network infrastructure from both the outside world as well as from the mobiles themselves. There are caveats to putting firewalls in the Gi path that you have to consider - such as session count limits and how they play with lots of small-sized packets. (as you may know, not all mobile applications are well-behaved). Miguel On Thu, Apr 9, 2009 at 11:48 AM, Lee, Steven (NSG Malaysia) < kin-wei@hp.com> wrote: > Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) > networks have Gi segment (interface between GGSN & IP Router/firewall). Due > to the IP address constraint, operator usually do NAT on the Gi firewall to > NAT the private IP to public IP in the past. Looking at the traffic pattern > and user access behaviour, does it make sense to have firewall between the > GGSN & Public Internet if the public IP addresses are sufficient to cater > for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the > future. > > Please share your thought and thanks in advance :) > > Regards, > Steven Lee > -- -- Miguel de Leon Dimayuga "For we walk by faith, not by sight."
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Apr 10, 2009, at 12:21 AM, Alexander Harrowell wrote: I would think that, however you are providing IP addresses, any ingress point to a GSM core network ought to be carefully policed on security grounds. Sure. But stateful firewalls aren't required to protect that infrastructure, stateless ACLs in hardware will work quite well. --- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Apr 10, 2009, at 12:17 AM, Mikael Abrahamsson wrote: Todays GGSN and other devices should handle it, even though they didn't do it well 5+ years back. There's a lot of legacy (and not-so-legacy) gear out there with weak IP stacks; beyond that, the relevant BCPs like iACLs should be deployed to protect the GGSN, et. al. --- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Thursday 09 April 2009 16:48:32 Lee, Steven (NSG Malaysia) wrote: > Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) > networks have Gi segment (interface between GGSN & IP Router/firewall). Due > to the IP address constraint, operator usually do NAT on the Gi firewall to > NAT the private IP to public IP in the past. Looking at the traffic pattern > and user access behaviour, does it make sense to have firewall between the > GGSN & Public Internet if the public IP addresses are sufficient to cater > for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the > future. > > Please share your thought and thanks in advance :) > > Regards, > Steven Lee I would think that, however you are providing IP addresses, any ingress point to a GSM core network ought to be carefully policed on security grounds. Especially if you have IMS or SIP-based services or intend to deploy them. signature.asc Description: This is a digitally signed message part.
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote: Please share your thought and thanks in advance :) No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different. The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns. --- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Thu, 9 Apr 2009, Lee, Steven (NSG Malaysia) wrote: Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future. The only reason I see to have a FW on Gi would be to have a stateful device to stop scanning from the Internet towards the mobile devices (I don't know how much SYNs you see on a /16 nowadays, it used to be quite a lot). I know mobile operators who have been operating with public IPs to all customers without FW for a lot of years. Todays GGSN and other devices should handle it, even though they didn't do it well 5+ years back. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future. Please share your thought and thanks in advance :) Regards, Steven Lee