From: Ethan Butterfield [mailto:primus@veris.org] Sent: Sunday, November 19, 2000 11:45 AM To: Jim Mercer Cc: nanog@nanog.org Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?

...

From: Jim Mercer <jim@reptiles.org> Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?

as i understand it, ipsec doesn't use ports.

Yes and no. IPSec uses UDP port 500 for the ISAKMP key exchange and the tunnel setup, but all other traffic is IP Protocol 50 (ESP) or 51 (AH). Most firewalls I've seen block wierd (i.e., just about everything that's not standard TCP or IP Protocol 1 (ICMP)) by default, or at least flag it as strange.

In shops that block SSH, this is also what they do and is exactly what I meant. I apologize for not communicating clearly and typing poorly (too many decades writing code).

It should not be hard to set up a persistent IPSec tunnel between UNIX hosts in order to pass SMB/NETBIOS traffic. You could even do it router-to-router in gateway mode and have the traffic be cleartext on the internal side of both networks, and 3DES/SHA-1 to the rest of the world.

When possible, I do this. The whole point of this is that transit providers should not be filtering unless specifically requested.

For the Road Warrior, though, it's going to be somewhat more difficult without using a VPN, as the Win32 implementations of IPSec are somewhat...lacking. (Or at least they were six months ago when I last tried the SSH IPsec shim for NT4.) Win2K's built-in IPSec makes life much easier...if you've got clients using Win2K. Can't vouch for interoperability between Win2K-UNIX, though. Never tried it myself.

I did, just as soon as it came out. It sux! Active directory also does a number on the DOMAIN stuff in Samba. Fortunately, it allows backwards compatibility to old-style WinNT4SP5 hosts. In fact, and I am sure that MS did it to mess with the Samba folks, the entire DOMAIN stuff has been re-spec'd and re-written. --- I can't afford to have a preference, I must be agnostic.