--state NEW for UDP?

AZ Nomad a écrit :
>
> NAT boxes using UDP broadcast their UDP packets to
> everybody on the physical network.

Nonsense. UDP NAT does not work this way, it just cannot work this way.
UDP NAT is stateful.

On Fri, 02 May 2008 16:03:01 +0200, Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
>AZ Nomad a écrit :
>>
>> NAT boxes using UDP broadcast their UDP packets to
>> everybody on the physical network.

>Nonsense. UDP NAT does not work this way, it just cannot work this way.
>UDP NAT is stateful.

It does and it has to. UDP packets are not point to point. They
are broadcast.

Perhaps you are confusing the NFS layer atop UDP with UDP itself?

Am Fri, 02 May 2008 11:09:10 -0500 schrieb AZ Nomad:

> Perhaps you are confusing the NFS layer atop UDP with UDP itself?

Nope, a DNS query is defently unicast.

>UDP is stateless. NAT boxes using UDP broadcast their UDP packets to
>everybody on the physical network.

Not mine. If an incoming UDP packet doesn't match a connection
or an entry in the "server" table that tells it the IP Address
to send it to, the packet gets dropped.

Maybe an ICMP error is sent back.

--
These are my opinions, not necessarily my employer's. I hate spam.

AZ Nomad a écrit :
>
> UDP packets are not point to point. They are broadcast.

Unicast UDP packets are point to point. DNS queries and replies over UDP
are unicast.

> Perhaps you are confusing the NFS layer atop UDP with UDP itself?

No. What does NFS have to do with this ?

On Fri, 02 May 2008 12:37:18 +0000, Andrew Gideon wrote:

> Perhaps the issue is that responses are coming from different IPs than
> that to which the requests are sent?

Thank you, I think that is the most likely scenario, as /etc/resolv.conf
on all NAT'd machines lists 148.78.249.20[01] and the occasional
"unsolicited" UDP packets emanate from SPT=53 on 148.78.249.20[0-3].

I'll use wireshark to examine the traffic and verify that hypothesis if
possible.

>> This doesn't mean that a stateful protocol cannot be built over UDP.
>> DNS has "responses". Therefore, it has state.
>
> No, it doesn't you surely mean a session in the firewall/filter. You
> can't mix a stateless protocoll with a stateful. (but you could
> encapsulate it)

I wrote what I meant (or at least that part of it {8^), and I stand by it
(though in fact we're also speaking of firewall session states in this
conversation). An arbitrary protocol could be built over UDP which
provided it's own three-way handshake for session initiation, packet
sequence numbers, etc. These wouldn't be a part of UDP, of course, but
would be a part of the arbitrary protocol that we'd built that happens to
use UDP as the underlying transport.

So a stateful protocol can be built on top of a stateless protocol.

[But perhaps this is what you mean by "encapsulate"?]

In fact, if memory serves Ethernet is stateless. TCP packets are
transported over Ethernet.

Though, in fact, there is something I wrote incorrectly in my previous
note. DNS isn't stateful because it has requests and responses. That's
not how the term is used.

> Many stateful firewalls are able to track the state of flows in
> connectionless protocols, like UDP.

That is also true. These can also track "related" flows, like the DATA
circuit used by FTP.

[...]
> Sessions in connectionless protocols
> can only end by time-out, because there is no flag where you could
> see that ist the last packet.

This isn't necessarily true. For example, a firewall could choose to
take down the "session" for a DNS request when the response was seen.
But this is protocol specific and requires an inspecting firewall.

[...]

>
> By keeping track of the connection state, stateful firewalls provide
> added efficiency in terms of packet inspection. This is because for
> existing connections the firewall need only check the state table,
> instead of checking the packet against the firewall's rule set, which
> can be extensive.

So can the state table be extensive. From what I've read, stateless
tends to win in efficiency for this reason (though there's the added
complexity that a stateless firewall is likely to have a larger rule set).

- Andrew

On Fri, 02 May 2008 11:09:10 -0500, AZ Nomad wrote:

> It does and it has to. UDP packets are not point to point. They are
> broadcast.

I'm afraid not (though they *can* be broadcast; they don't have to be).
Do you imagine that any/every DNS request is broadcast? Or that NFS
packets are sent to every machine on a network? What happens when NFS
packets are routed?

A UDP packet has an IP address destination (though this could be a
broadcast address for a given network).

- Andrew