[nos-bbs] Xrouter mystery

[Barry Siegfried]

[Brett Mueller <wa7v at wa7v.com> wrote]:

> On 11/10/2006 16:56, Jack Taylor wrote:
>
> > The mystery here is why are users able to connect to AZGATE from an
> > Xrouter and return to the Xrouter, but not be able to connect direct
> > to the Xrouter when originating from AZGATE?
>
> I believe I know who you are talking about, so let me offer the
> following.  My guess is that he is running a firewall and/or NAT router
> that doesn't have any provisions for creating protocol 93 (AXIP) rules.
> The firewall/router will permit and/or NAT incoming AXIP frames only
> when it believes these are frames related to outgoing ones -- hence,
> doing some primitive connection-tracking.

Brett has analyzed this problem very well and it *is* a problem
with these small consumer IPNAT routers that makes them only
"somewhat" suitable for use in an environment that requires the
transmission of IPIP.  There is a fix, however.  If you open a
DMZ from the router to your gateway then the router will blindly
pass all traffic to the gateway that it doesn't already have on
a TCP/UDP port forwarding list, including IPIP frames.

The primitive connection "tracking" to which Brett refers is
necessary to do NAT/NPT properly but it does get in the way
when the router won't pass any incoming traffic except TCP/UDP
(and ICMP) specifications which are on the port forwarding list.

> Is it possible to initiate a connection from AZGATE *concurrently*
> while someone else is connected from the Xrouter to AZGATE?  This
> might confirm the connection-tracking hypothesis.

In nearly all of the cases of those IPIP gateways which are affected
by this, the above condition will work nearly 100% of the time.

> If such is the case, the possible solutions that I can think of are:
>
> 1. Use AXUDP instead of AXIP, or
> 2. The Xrouter sysop would need to replace his firewall/router with
>    something that understands protocols beyond TCP, UDP, and ICMP,
>    or
> 3. Set up a VPN tunnel.
>
> Maybe others?

Yes... another good one is IPUDP.  It is the direct encapsulation of
IP within UDP to destination port 94 (just like AXUDP is the direct
encapsulation of AX.25 within UDP to destination port 93).  This is
a tremendous solution for people who have these small IPNAT routers
that don't have DMZs open and for subscribers who have providers who
won't pass any traffic through their border routers other than TCP,
UDP and ICMP.

Interestingly, IPUDP was originally developed FOR Xrouter by G8PZT
in December, 2002 and then in October, 2004 was independently coded
for a NOS program from which Maiko then extracted it and wisely ported
it into JNOS.  Maiko then tried to get an RFC for it published but
his effort did not succeed because the person to whom he submitted
the paper and who could get the job accomplished either wasn't really
interested in pursuing or had no time to pursue it.

The other down side to using IPUDP is that it hasn't yet been ported
to Unix, which means a Linux gateway and mirrorshades (BSD unix)
can't yet make use of it.  But any gateway that can support it CAN
make use of it as long as they can find a well-connected and well-
maintained "hosting" gateway that also supports both IPIP and IPUDP
and has no small IPNAT router or provider restraints on its own
IPIP operation.

73, de Barry, K2MF >>
           o
          <|>      Barry Siegfried
+---------/-\---------------------------+
| Internet | bgs at mfnos.net              |
| HomePage | http://www.mfnos.net/~bgs  |
+----------+----------------------------+
| Amprnet  | k2mf at k2mf.ampr.org         |
| PBBS     | k2mf at k2ge.#cnj.nj.usa.noam |
+----------+----------------------------+