[SIPForum-techwg] Comments from 2/27 - 3/2

Hadriel Kaplan HKaplan at acmepacket.com
Thu Mar 2 20:17:55 EST 2006 

I still find it odd for an SP-to-Ent interop spec to tell an enterprise that
they SHOULD do something on their firewalls, when that something is only
needed if they choose to fix something a certain way, and the way in which
the fix it is up to them entirely and has no bearing on interoperability and
is not defined in the spec itself.  

It's like saying "your firewalls SHOULD support being a DHCP server",
because after all the SIP PBX and phones need IP Addresses and DHCP is a way
to get them, and some firewalls can be one.

Especially when you define the STUN server to be in the DMZ, whereas it
could be implemented inside the firewall itself, or on the public side of a
firewall.  A DMZ is not on the public side of a firewall - and it may not
even be public addresses.  I'm not clear how STUN would even work in a
traditional DMZ.  Sending packets from inside to a DMZ box, if even allowed,
would not open any holes in the firewall to the public internet and would
not provide you with the same public address/port for such.

-hadriel


> -----Original Message-----
> From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On
> Behalf Of Chris Sibley
> Sent: Thursday, March 02, 2006 2:54 PM
> To: Joanne McMillen; techwg at sipforum.org
> Subject: RE: [SIPForum-techwg] Comments from 2/27 - 3/2
> 
> Hi Joanne,
> 
> Actually, on the Firewall and NAT traversal issue I thought that we had
> already agreed to change the wording so that it would 1) accommodate the
> use of SIP-aware firewalls, SBCs, etc. and 2) not specifically mandate
> the exclusion of symmetric NATs and ALGs.
> 
> Here's the latest (draft 5) text as I have it right now. Feel free to
> suggest any additional changes you think are needed..
> 
> Thanks,
> 
> --Chris
> 
> -----------
> 8	Firewall and NAT Traversal
> 
> IP addresses contained within the SIP headers of messages exchanged
> between
> the Service Provider and Enterprise networks MUST be publicly routable
> IP
> addresses.
> 
> This requirement implies that any "fix up" functions necessary for NAT
> traversal have already been performed either by the device originating
> the
> message (i.e. using STUN/TURN/ICE, static configuration, etc.) or by a
> network element (i.e. SIP-aware firewall, Session Border Controller,
> etc.)
> before the message is permitted to leave the Service Provider /
> Enterprise
> network edge.
> 
> Service Provider and Enterprise network firewalls SHOULD be
> STUN-friendly
> (RFC 3489 [18]), meaning that they do not interfere with the proper
> operation of STUN between inside hosts and a STUN server in the DMZ.
> --------------
> 
> >
> 
> **********************************************************************
> This email may contain confidential information. If you are not
> the intended recipient, please advise by return email and delete
> immediately without reading or forwarding to others.
>  - Cbeyond
> **********************************************************************----
> -Original Message-----
> > From: Joanne McMillen [mailto:joanne at avaya.com]
> > Sent: Thursday, March 02, 2006 10:40 AM
> > To: Chris Sibley; techwg at sipforum.org
> > Subject: Re: [SIPForum-techwg] Comments from 2/27 - 3/2
> >
> > Thanks Chris - I was getting ready to suggest something similar for
> > a "discussion/voting" list for what's still outstanding so we could
> all be
> > clear about what those are. It's not clear we have reached consensus
> > about Firewall and NAT Traversal. Is that one that will be in that
> list?
> > If not, can you circulate that updated text separately so we are all
> on
> > board with the latest text and are sure we all agree? I believe there
> > were significant changes proposed.
> >
> > Thanks - Joanne
> >
> > ----- Original Message -----
> > From: "Chris Sibley" <chris.sibley at cbeyond.net>
> > To: <techwg at sipforum.org>
> > Sent: Thursday, March 02, 2006 7:19 AM
> > Subject: [SIPForum-techwg] Comments from 2/27 - 3/2
> >
> >
> > > Ernst, Hadriel, Paul/Cullen, Rohan, et al.,
> > >
> > > Thanks once again for reviewing and commenting on the latest version
> of
> > > the
> > > draft. In the interest of time, rather than respond to each of your
> > posts
> > > individually I thought that I would take the following approach:
> > >
> > > 1 - Consolidate all requested changes into a "master list".
> > >
> > > 2 - Update the current working draft (draft 5) based on this master
> list
> > > where:
> > >
> > > A - The change is only minor (i.e. a nit)
> > >
> > >       and/or
> > >
> > > B - At least one other person has made the same comment
> > >
> > > (I will of course document these changes in the draft release notes
> so
> > > that
> > > everyone can see what was changed.)
> > >
> > > 3 - For anything "left over", I will put together a consolidated
> email
> > of
> > > those items that still need discussion and send it out to the group.
> > >
> > > Sound good?
> > >
> > > Thanks,
> > >
> > > --Chris
> > >
> > > _______________________________________________
> > > techwg mailing list
> > > Send mail to: techwg at sipforum.org
> > > Unsubscribe or edit options at:
> > > http://sipforum.org/mailman/listinfo/techwg
> > >
> 
> 
> 
> _______________________________________________
> techwg mailing list
> Send mail to: techwg at sipforum.org
> Unsubscribe or edit options at:
> http://sipforum.org/mailman/listinfo/techwg

More information about the techwg mailing list