ietf
[Top] [All Lists]

RE: NATs as firewalls

2007-03-07 18:01:34


On Wednesday, March 07, 2007 04:23:20 PM -0800 "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:

We do need to revise the architecture description. Using IP addresses as
implicit signalling

You keep using that word.  I do not think it means what you think it means.


Another instance that hit me today is the
fact that existing SSL implementations use the server IPv4 address to
select which server certificate to present to a client.

No; existing SSL server implementations assume that only one certificate is relevant for any given transport endpoint. Which, for the vast majority of uses, would not be that big a deal except that a certain vendor which dominates the well-known-CA market(*) sees a revenue opportunity in wildcard certificates, much as ISP's see a revenue opportunity in residential customers who need multiple non-NAT'd addresses.

(*) To be fair, pretty much _every_ vendor does this.

-- Jeff

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>