On Thu, 21 Dec 2000, Harald Alvestrand wrote:
At 09:47 19/12/2000 -0800, Mike Fisk wrote:
It's an argument of semantics, but I prefer to say that we're separating
transport-layer end-to-end from application-layer end-to-end. Make
applications explicitly terminate transport connections at gateways. So
what is now a connection from me to you across a NAT and a proxy-ing
firewall would be come a session-layer connection from me to you served by
transport connections from me to the NAT, from the NAT to the proxy, and
from the proxy to you.
these are called "application layer gateways", and exist in droves already.
Most firewalls implement them, in addition to NAT and packet filters.
Yes, I was being slightly more general to include other gateways that
don't necessarily operate at the application layer:
TCP-splicing/spoofing, NAT, SOCKS, etc.
The problem is that the protocol mechanisms to discover and use these
gateways are piecemeal and inadequate. That leads many of them to be
implemented "transparently" which breaks protocols that don't know there's
a gateway.
--
Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab
See http://home.lanl.gov/mfisk/ for contact information