On Nov 15, 2010, at 10:41 PM, Masataka Ohta wrote:
Phillip Hallam-Baker wrote:
You are incorrect.
Firewalls can be used for many purposes. Authenticated traversal is well
established in the firewall model.
Given the diversity of firewalls and their operations, it's
practically impossible.
Why? Firewalls are not there to block arbitrary traffic. They are there to
allow the required traffic, while blocking stuff that is either an attack or
violates policy.
There is a copious amount of prior art.
Remember what happened to path MTU discovery.
Just as path MTU discovery for IPv6 won't work, you can't expect
firewalls in the real world behave friendly to your own firewall
traversing protocols.
Why not? While I agree that firewalls are diverse, they are all made by
vendors, and the big firewall vendors all have employees who participate in the
IETF. An IETF standard that allows firewall traversal for legitimate traffic is
very likely to be adopted by all the vendors. It might not work with some
bargain basement home router you get at Wallmart, but even they eventually get
updated software.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf