Relay agents, NAT, and offers to giaddr
Simon Hobson
dhcp1 at thehobsons.co.uk
Sat Sep 16 06:52:44 UTC 2006
Hmm, this thread seems to be drifting a bit !
David W. Hankins wrote:
>On Fri, Sep 15, 2006 at 03:52:35PM -0700, Alan DeKok wrote:
>> But that's just what NAT boxes do...
>
>Not precisely, no. NAT boxes do not, as a general rule, peer into
>SIP exchanges and 'fix' them so that SIP works across NAT, much
>to the chagrin of any VOIP sysadmin you might meet.
And in the one case I've personally come across that did (a Cisco
router), it took me a while to figure out what was wrong and why it
BROKE my SIP. The other factor is that alongside SIP is the RTP data
stream - and unless you keep a sophisticated state table for all SIP
exchanges the gateway isn't going to be able to manage the ports for
that.
My preferred solution if there is more than one phone is to manually
configure the port forwarding for each phone, and manually configure
each phone with the public IP so that it can correctly form its SIP
packets with the public address & ports.
>Neither do they peer into any other UDP payload, and if they
>were to, the results would be more disastrous than they are
>already.
I agree 100% with that.
Sten Carlsen wrote:
>What I see as really ugly and sometimes dangerous is the fact that the
>dhcp-server must know exactly what goes on behind the NAT. I use NAT
>precisely to avoid that.
>
>This also makes me worry about IPv6, I want to be in charge of what is
>visible to the world.
I think you are unduly paranoid ! and also unduly optimistic about
the protection NAT gives you. Browsers readily give away your RFC1918
addresses to servers, and also these days I think the focus of
attention has shifted significantly away from directly attacking
systems to methods such as tricking users into installing stuff. Once
a machine is compromised, it has free reign to call out and NAT does
nothing to protect you there - I also imagine that some malware
already has some sort of 'proxy service' to allow the nasties to map
the inside of you NAT and attack machines there. One method that
comes to mind is to form an outgoing packet with forged source MAC
and IP so that the NAT gateway will open up a mapping that allows an
external machine to send packets to another internal machine.
Another factor is that most sites I deal with have at least one,
usually more, machine made accessible via port forwarding - so you
have direct attack points there.
As long as you still use a firewall and set sensible rules, I see no
problem with people seeing the address of your devices - they just
won't be able to open any connections to them anyway so what does it
gain them. If you are really paranoid then you will not allow any
incoming connections at all (not even ping) and so the internal
devices will not even be visible to someone doing a scan.
The benefit will be that protocols like SIP will 'just work' and a
whole shedload of networking problems will be gone (for good I hope).
I stand by my opinion that NAT is an even abomination but
unfortunately neccessary. What's doubly worse is that with so many
people think that NAT is good, it's removing the pressure to get IP6
going - "we don't need IP6, NAT does the job".
More information about the dhcp-users
mailing list