> -----Original Message----- > From: Roland Bless [mailto:[email protected]] > Sent: Thursday, September 29, 2011 1:15 AM > To: Dan Wing > Cc: 'Joel M. Halpern'; '6man' > Subject: Re: Centrally assigned "ULAs" for automotives and other > environments > > Hi Dan, > > On 28.09.2011 23:28, Dan Wing wrote: > > ALGs are harmful and the NAT industry has over a decade experience > > that shows ALGs are harmful. ALGs have prevented proper operation > > of SIP, FTP, and a variety of other protocols. The more complex > > a protocol, the more likely an ALG interferes with the complex > > protocol -- rather than helping it. This is because the ALG makes > > naive assumptions of message flows and interfere with advanced > > functions the protocol would like to do. > > I know that very well, because I've attended your excellent tutorial > at some IETF meeting in the past. :-)
Did I come across as disliking ALGs a bit? ;-) > > An ALG also requires unencrypted communications (so the application > > can be examined) and, if the application payload is supposed to be > > modified, also requires using no integrity checking. That means > > the entire system has a greater attack surface just to allow the > > ALG to examine and to modify the packets in transit. > > An ALG also complicates upgrading protocols. Protocol changes have > > to be done so they remain compatible with the remote system (always > > a requirement) as well as with the ALG (which is a requirement > because > > of the ALG). This increases the complexity to the protocol, > especially > > as the ALGs, themselves, evolve and have their own bugs fixed, but > > are not proper, signaled elements in the architecture. > > Agreed, but I think that the case of NAT-ALGs is a little bit different > as they try to be transparent to the end-hosts. Yes, that's the definition of an ALG. There are ALGs for firewalls, as well. The first ALG written, to my knowledge, was for a firewall (not a NAT) and was for "active mode" FTP. Active mode FTP is where the server makes a TCP connection back to the client. If the client is behind a firewall (e.g., corporate firewall), FTP broke. Adding an ALG to the firewall, so it sniffed FTP signaling and created a mapping in the firewall, allowed active mode FTP to work. > We think more of a > security gateway/proxy architecture, where the existence of the proxy > is explicitly modeled, e.g., use an HTTP proxy for web access. > Sure, not all protocols allow the use of proxies. But that's a proxy. A proxy is not an ALG. > Please note, that a car's onboard network is a very different > use case than hosts operating in the open public Internet. > We need a very secure solution in order to guarantee the safety > of the car and the passengers. Which internal devices communicate > externally is usually well-known in advance. > Though a good point is that the protocols on the remote side may > change and that you have to adapt to the changes. > In some cases when using the proxy architecture, maybe only the proxy > has to be upgraded, not the internal devices, in other cases maybe > the proxy in addition to the internal devices, which increases the > complexity. -d -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
