[SIPForum-techwg] Comments from 2/27 - 3/2

Janne Magnusson janne at ingate.com
Fri Mar 3 04:45:15 EST 2006 

A STUN friendly firewall must be a full cone NAT firewall and that are
not common in enterprise environments as the security is much better
with a symmetric NAT firewall. 

The STUN friendly firewall requirement is only valid if STUN is used, in
other cases should the enterprise be free to choose firewall as they
like. In most cases will an enterprise want to keep the existing
firewall and requirements like the suggested will hamper enterprises
willingness to implement SIP PBX technology.

I suggest that the last paragraph is removed. It is a pretty obvious
requirement if you choose to implement a STUN solution that all network
elements must be STUN friendly.

/Janne

> -----Original Message-----
> From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org]
On
> Behalf Of Hadriel Kaplan
> Sent: Friday, March 03, 2006 2:18 AM
> To: 'Chris Sibley'; 'Joanne McMillen'; techwg at sipforum.org
> Subject: RE: [SIPForum-techwg] Comments from 2/27 - 3/2
> 
> I still find it odd for an SP-to-Ent interop spec to tell an
enterprise
> that
> they SHOULD do something on their firewalls, when that something is
only
> needed if they choose to fix something a certain way, and the way in
which
> the fix it is up to them entirely and has no bearing on
interoperability
> and
> is not defined in the spec itself.
> 
> It's like saying "your firewalls SHOULD support being a DHCP server",
> because after all the SIP PBX and phones need IP Addresses and DHCP is
a
> way
> to get them, and some firewalls can be one.
> 
> Especially when you define the STUN server to be in the DMZ, whereas
it
> could be implemented inside the firewall itself, or on the public side
of
> a
> firewall.  A DMZ is not on the public side of a firewall - and it may
not
> even be public addresses.  I'm not clear how STUN would even work in a
> traditional DMZ.  Sending packets from inside to a DMZ box, if even
> allowed,
> would not open any holes in the firewall to the public internet and
would
> not provide you with the same public address/port for such.
> 
> -hadriel
> 
> 
> > -----Original Message-----
> > From: techwg-bounces at sipforum.org
[mailto:techwg-bounces at sipforum.org]
> On
> > Behalf Of Chris Sibley
> > Sent: Thursday, March 02, 2006 2:54 PM
> > To: Joanne McMillen; techwg at sipforum.org
> > Subject: RE: [SIPForum-techwg] Comments from 2/27 - 3/2
> >
> > Hi Joanne,
> >
> > Actually, on the Firewall and NAT traversal issue I thought that we
had
> > already agreed to change the wording so that it would 1) accommodate
the
> > use of SIP-aware firewalls, SBCs, etc. and 2) not specifically
mandate
> > the exclusion of symmetric NATs and ALGs.
> >
> > Here's the latest (draft 5) text as I have it right now. Feel free
to
> > suggest any additional changes you think are needed..
> >
> > Thanks,
> >
> > --Chris
> >
> > -----------
> > 8	Firewall and NAT Traversal
> >
> > IP addresses contained within the SIP headers of messages exchanged
> > between
> > the Service Provider and Enterprise networks MUST be publicly
routable
> > IP
> > addresses.
> >
> > This requirement implies that any "fix up" functions necessary for
NAT
> > traversal have already been performed either by the device
originating
> > the
> > message (i.e. using STUN/TURN/ICE, static configuration, etc.) or by
a
> > network element (i.e. SIP-aware firewall, Session Border Controller,
> > etc.)
> > before the message is permitted to leave the Service Provider /
> > Enterprise
> > network edge.
> >
> > Service Provider and Enterprise network firewalls SHOULD be
> > STUN-friendly
> > (RFC 3489 [18]), meaning that they do not interfere with the proper
> > operation of STUN between inside hosts and a STUN server in the DMZ.
> > --------------
> >
> > >
> >
> >
**********************************************************************
> > This email may contain confidential information. If you are not
> > the intended recipient, please advise by return email and delete
> > immediately without reading or forwarding to others.
> >  - Cbeyond
> >
**********************************************************************--
> --
> > -Original Message-----
> > > From: Joanne McMillen [mailto:joanne at avaya.com]
> > > Sent: Thursday, March 02, 2006 10:40 AM
> > > To: Chris Sibley; techwg at sipforum.org
> > > Subject: Re: [SIPForum-techwg] Comments from 2/27 - 3/2
> > >
> > > Thanks Chris - I was getting ready to suggest something similar
for
> > > a "discussion/voting" list for what's still outstanding so we
could
> > all be
> > > clear about what those are. It's not clear we have reached
consensus
> > > about Firewall and NAT Traversal. Is that one that will be in that
> > list?
> > > If not, can you circulate that updated text separately so we are
all
> > on
> > > board with the latest text and are sure we all agree? I believe
there
> > > were significant changes proposed.
> > >
> > > Thanks - Joanne
> > >
> > > ----- Original Message -----
> > > From: "Chris Sibley" <chris.sibley at cbeyond.net>
> > > To: <techwg at sipforum.org>
> > > Sent: Thursday, March 02, 2006 7:19 AM
> > > Subject: [SIPForum-techwg] Comments from 2/27 - 3/2
> > >
> > >
> > > > Ernst, Hadriel, Paul/Cullen, Rohan, et al.,
> > > >
> > > > Thanks once again for reviewing and commenting on the latest
version
> > of
> > > > the
> > > > draft. In the interest of time, rather than respond to each of
your
> > > posts
> > > > individually I thought that I would take the following approach:
> > > >
> > > > 1 - Consolidate all requested changes into a "master list".
> > > >
> > > > 2 - Update the current working draft (draft 5) based on this
master
> > list
> > > > where:
> > > >
> > > > A - The change is only minor (i.e. a nit)
> > > >
> > > >       and/or
> > > >
> > > > B - At least one other person has made the same comment
> > > >
> > > > (I will of course document these changes in the draft release
notes
> > so
> > > > that
> > > > everyone can see what was changed.)
> > > >
> > > > 3 - For anything "left over", I will put together a consolidated
> > email
> > > of
> > > > those items that still need discussion and send it out to the
group.
> > > >
> > > > Sound good?
> > > >
> > > > Thanks,
> > > >
> > > > --Chris
> > > >
> > > > _______________________________________________
> > > > techwg mailing list
> > > > Send mail to: techwg at sipforum.org
> > > > Unsubscribe or edit options at:
> > > > http://sipforum.org/mailman/listinfo/techwg
> > > >
> >
> >
> >
> > _______________________________________________
> > techwg mailing list
> > Send mail to: techwg at sipforum.org
> > Unsubscribe or edit options at:
> > http://sipforum.org/mailman/listinfo/techwg
> 
> _______________________________________________
> techwg mailing list
> Send mail to: techwg at sipforum.org
> Unsubscribe or edit options at:
> http://sipforum.org/mailman/listinfo/techwg

More information about the techwg mailing list