Steven M. Bellovin wrote:
More of his measurements concluded that at least 56% of hosts are
behind a firewall that blocks by default.
It should be pointed out here that the problems
introduced by NATs are not quite the same as
problems introduced by firewalls. While they
both impair reachability NATs cause NATted hosts
to be unable to determine their own address (or
indeed to have an addressable presence at all
without initiating contact with another host).
In any event I think that it's a mistake to
assume that a firewall or NAT can inspect or
rewrite the contents of a data stream. I'm not
sure that it's a good idea for the IETF to
tacitly (or otherwise) discourage encryption or
authentication.
I'm sort of "meh" on the idea of a mandatory firewall/
NAT/middlebox/filters section in protocol documents.
I'm not sure that there's a widespread problem that it
would solve. In the case where there is a problem,
like this one, sharp eyes tend to catch it early.
We have mandatory security sections because securing
a particular protocol can be subtle and idiosyncratic
because of trust relationships and operating environment,
and firewall/NAT problems tend to be pretty much the
same from protocol to protocol with hard problems cropping
up in a small number of cases.
Melinda
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf