[fw-wiz] Transparent proxies and PMTUD on the (WWW) server side
From: Patrick M. Hausen (hausen_at_punkt.de)
Date: 08/21/03
- Previous message: Dave Killion: "RE: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: edp: "R: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Reply: edp: "R: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Reply: Mikael Olsson: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Reply: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Thu, 21 Aug 2003 17:28:23 +0200 (CEST)
Hi fellow wizards!
Today I found the solution to a problem that has kept me
busy for the last couple of days:
Imagine a corporate network with several branch offices.
The only connection to the Internet takes place through a single
application level firewall at the head office. A product like
Gauntlet or the new Sidewinder G2 that is strictly proxy based
in the default configuration but transparent to the client workstation.
I found the problem while deploying a Sidewinder G2, but the general
problem applies to all transparent ALGs.
Said corporate network is implemented partly via IPSec/GRE
tunnels through regular internet connections. These are not
handled by the firewall, but by <insert your favorite router vendor>
boxes.
Now when someone located in a branch office "surfs" to e.g.
www.google.com the following things will happen:
- the ALG checks if the client is permitted that connection and,
if yes, creates a new proxy session
- the ALG forwards the request to www.google.com
- www.google.com sends the desired HTTP content in a 1500 bytes sized
frame with DF=1 since the server implements PMTUD
- this frame gets to the outside of our ALG just fine in our case,
no weird things happening in this part of the Internet
- the client side of the proxy sends a 1500 bytes sized frame
to the client PC with DF=1 since the firewall implements PMTUD
- yet the packet sent to the client has got a source address
of "www.google.com" since the proxy is operating transparently
- the first internal VPN router tries to encapsulate the packet and
fails since it is too big for the next hop and DF=1 - so it sends
"ICMP frag needed but DF set" to ... www.google.com!
What's supposed to happen now? What common solutions have you seen
in available products?
Sidewinder G2 simply drops the ICMP packet which never reaches
www.google.com, so "surfing" simply doesn't work. My ad hoc solution
was to turn of PMTUD on the sidewinder box so the internal packets
could be fragmented. I don't really like that but it works for now.
I can think of a couple of different approaches that a transparent
ALG could take:
- Permit "ICMP frag needed" from internal to external with appropriate
NAT _if_ there is an active proxy session to the external destination.
This relies on the assumtion that, if the external WWW server lowers
its MSS, the client side part of the proxy application will send
smaller frames, too - as soon as it get's them.
Since the proxy is operating on the application layer it _could_
completely reblock the TCP data stream and always send maximum
sized frames on the inside doing it's own PMTUD. This would render
permitting "ICMP frag needed" useless.
- If the ALG doesn't support a mechanism like this, one could configure
the packet filter/NAT function that all current ALGs (which are
really hybrid products now) seem to have manually.
The same caveat as above applies - if the proxy process sends
maximum sized frames on the inside regardless of the MSS on the
outside, www.google.com will know what to do, but that will
be useless to the internal client.
- The perfect approach IMHO would be to have the ALG lower its own
MSS on the client side when it encounters an "ICMP frag needed"
that can be matched to an active proxy connection and leave the
outside connection as it is.
This can't be accomplished or even mimicked by proxy or packet
filter rules but must be implemented as a feature of the ALG in
question.
So, what do you think?
Thanks,
Patrick
P.S. An additional approach would be "don't use transparent proxies,
configure them explicitly". Well ...
-- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Dave Killion: "RE: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: edp: "R: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Reply: edp: "R: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Reply: Mikael Olsson: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Reply: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
