On 2/14/08 9:58 AM, "Iljitsch van Beijnum" <iljitsch(_at_)muada(_dot_)com>
wrote:
Disagree. There is no reason why a stateful firewall would have an
easier time tracking UDP state than any other non-TCP state when there
is no address translation.
There's just a lot more experience with UDP than there
is with some other non-TCP protocols. Engineers have been
more motivated to deal with it than they have with, say, SCTP.
But anyway, firewalls solve a different problem from NAT.
NAT has incidentally been used as a policy device but
a firewall really is a policy device. So, while it
might be reasonable to say "I need to figure out how
to get across a NAT," it would also be reasonable to
say "I need to figure out how to get across a firewall
without violating access policy." You definitely do
not want to design a mechanism that enables policy
violation.
Melinda
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf