On 7/31/07 4:09 AM, "Aki Niemi" <aki(_dot_)niemi(_at_)nokia(_dot_)com> wrote:
Continuing on something heard at the technical plenary last week. There
were people complaining that while protocols like STUN/TURN and ICE are
traversing NAT, they are in fact bypassing firewall policies, which they
should not be doing.
I think it's more complicated than that.
1) there were complaints about the difficulties caused
specifically by firewalls (apart from NATs)
2) Eric said that the IETF is producing firewall traversal
protocols like ICE
3) I pointed out that ICE is a NAT traversal protocol, not
a firewall traversal protocol, and that a key functional
difference is that NATs don't really do policy (beyond
address policy) while firewalls are specifically policy
devices.
Where I think we differ is in what we think firewalls ought
to do. While the default policy of a residential firewall
probably should be something along the lines of "keep
unsolicited traffic out," enterprise policies tend to be and
should be a lot richer.
STUN and ICE effectively work by side-effect, creating NAT
table mappings simply by passing data across the NAT. In the
firewall case you really must allow the firewall the possibility
to say "no," and you should give the firewall the data it
needs to make an informed decision. That data might include
application identification, user credentials - whatever
information is used as the basis for a policy decision. It's
also nice if you're able to tell the application that its
request has been denied so that it can fail and/or recover
gracefully.
I also think the assumption that any media flows across a
firewall ought to be allowed is questionable, but that's a
somewhat different matter.
Melinda
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf