Relay agents, NAT, and offers to giaddr

Simon Hobson dhcp1 at thehobsons.co.uk
Sat Sep 16 06:52:44 UTC 2006 

Hmm, this thread seems to be drifting a bit !

David W. Hankins wrote:

>On Fri, Sep 15, 2006 at 03:52:35PM -0700, Alan DeKok wrote:
>>     But that's just what NAT boxes do...
>
>Not precisely, no.  NAT boxes do not, as a general rule, peer into
>SIP exchanges and 'fix' them so that SIP works across NAT, much
>to the chagrin of any VOIP sysadmin you might meet.

And in the one case I've personally come across that did (a Cisco 
router), it took me a while to figure out what was wrong and why it 
BROKE my SIP. The other factor is that alongside SIP is the RTP data 
stream - and unless you keep a sophisticated state table for all SIP 
exchanges the gateway isn't going to be able to manage the ports for 
that.

My preferred solution if there is more than one phone is to manually 
configure the port forwarding for each phone, and manually configure 
each phone with the public IP so that it can correctly form its SIP 
packets with the public address & ports.


>Neither do they peer into any other UDP payload, and if they
>were to, the results would be more disastrous than they are
>already.

I agree 100% with that.


Sten Carlsen wrote:

>What I see as really ugly and sometimes dangerous is the fact that the
>dhcp-server must know exactly what goes on behind the NAT. I use NAT
>precisely to avoid that.
>
>This also makes me worry about IPv6, I want to be in charge of what is
>visible to the world.

I think you are unduly paranoid ! and also unduly optimistic about 
the protection NAT gives you. Browsers readily give away your RFC1918 
addresses to servers, and also these days I think the focus of 
attention has shifted significantly away from directly attacking 
systems to methods such as tricking users into installing stuff. Once 
a machine is compromised, it has free reign to call out and NAT does 
nothing to protect you there - I also imagine that some malware 
already has some sort of 'proxy service' to allow the nasties to map 
the inside of you NAT and attack machines there. One method that 
comes to mind is to form an outgoing packet with forged source MAC 
and IP so that the NAT gateway will open up a mapping that allows an 
external machine to send packets to another internal machine.

Another factor is that most sites I deal with have at least one, 
usually more, machine made accessible via port forwarding - so you 
have direct attack points there.

As long as you still use a firewall and set sensible rules, I see no 
problem with people seeing the address of your devices - they just 
won't be able to open any connections to them anyway so what does it 
gain them. If you are really paranoid then you will not allow any 
incoming connections at all (not even ping) and so the internal 
devices will not even be visible to someone doing a scan.

The benefit will be that protocols like SIP will 'just work' and a 
whole shedload of networking problems will be gone (for good I hope).


I stand by my opinion that NAT is an even abomination but 
unfortunately neccessary. What's doubly worse is that with so many 
people think that NAT is good, it's removing the pressure to get IP6 
going - "we don't need IP6, NAT does the job".

More information about the dhcp-users mailing list