[BEEPwg] Callback/Rendezvous Profiles

Kevin Kress kkress@myslo.net
22 Aug 2002 16:34:48 -0700


>From what I have read the Callback and Rendezvous profiles both could be
created without even giving a thought to NAT.  NAT breaks 99% of what
the net is for anyway (he says through his NATed firewall).  In general
I try to ignore NAT in hopes that it will go away (ie IPv6 will be
used).  I think this is a case where ignoring NAT is the right thing to
do, both profiles can exist above that layer and allow the protocol
binding to handle all that nastiness.

As for security, I think both profiles have uses outside the strict
security realm.  An example Gabe mentioned was using the Rendezvous
Profile to allow anonymous connections.  Someone else mentioned the
callback being used for loadbalencing.

just my 2c

--Kevin

On Thu, 2002-08-22 at 15:18, james woodyatt wrote:
> On Thursday, Aug 22, 2002, at 11:05 US/Pacific, Gabe Wachob wrote:
> >
> > I think there would be a lot of use for/interest in a rendezvous 
> > profile.
> > There is the tunnel profile but I don't think it address the "dual NAT"
> > problem (ie two parties, each behind NATs, trying to make connections).
> >
> > This is an issue that goes beyond BEEP, of course.
> 
> I think both the Callback profile and the Rendezvous profile are 
> actively BAD ideas.  I say this as a guy whose day job is maintaining 
> the firmware in a NAT routing home Internet gateway appliance device.
> 
> I think that there are already plenty of good security mechanisms 
> defined in the BEEP core; there is no additional security benefit to be 
> had by employing a Callback profile.  If you don't believe me, then I 
> recommend taking the idea immediately to your nearest friendly 
> neighborhood Security Area specialist, and see how far you can go with 
> it.  Consider this: the listener doesn't have to offer any profiles in 
> its greeting message to initiators.  It can instead expect the 
> initiator to offer the first tuning profile in its greeting.
> 
> Also, you should see draft-iab-unsaf-considerations-02.txt for a good 
> description of the set of problems in this Rendezvous profile you are 
> suggesting.  (I contributed section C.2 of that document.)
> 
> I've only seen one protocol for unilaterally fixing the public 
> addresses of multiple peers in different private address realms that 
> didn't make me want to wretch violently.  The latest version of it is 
> described in draft-ietf-ngtrans-shipworm-07.txt, and it's used for 
> establishing IPv6 connectivity by tunneling over UDP/IPv4.  The reason 
> I make an exception for it is that it is clearly intended to let IPv6 
> treat IPv4/NAT like the damage it is and route around it.
> 
> Please please please do not try to advance either of these ideas a 
> Internet standards.
> 
> 
> --james
> 
> _______________________________________________
> BEEPwg mailing list
> BEEPwg@lists.beepcore.org
> http://lists.beepcore.org/mailman/listinfo/beepwg
>