Wednesday, 10 August 2011

RFC3514 firewall?

I have made a test build of the FireBrick with RFC3514 support in it. Firewall rules can test for the evil bit set or unset, and can cause the evil bit to be set on the session so that, for example, NATted sessions can have the evil bit set.

Yes, bit of fun - and I may put in a production release one day (perhaps next April). However, it has been made a semi serious suggestion (Ray Bellis) that this could be done on CGNAT systems allowing both ends to know that they are working via some sort of NAT or otherwise mangling of headers system on the way. The bit gets set on replies on the session as well for this reason.

The concept is that where a device tries IPv4 and IPv6 at the same time, and gets replies, it can tell from the replies that the IPv4 is being mangled and prefer the IPv6 even if apparently slower to reply.

So now, not only do we all know NAT is evil, but we can have the evil bit actually tell us that :-)

1 comment: