In message
<6461D9C5-8B0B-42D3-9877-32DB3E6150C6(_at_)standardstrack(_dot_)com>, Eric
Burger writes:
I am concerned with the drive to make all traffic totally opaque. I'll be
brief: we have an existence proof of the mess that happens when we make
all traffic look benign. It is called "everything over port 80." That
`practical' approach drove the development of deep packet inspection,
because everything running over port 80 was no longer HTTP traffic. It
meant we could no longer prioritize traffic (in a good sense - *I* want
to make sure my VoIP gets ahead of my Web surfing ahead of my FTP). It
meant we could no longer apply enterprise policy on different
applications. It drove `investment' in the tools that today dominate
pervasive monitoring.
Good job folks for unintended consequences.
And everyone went to port 80 because people put up blocks for other
ports often for no other reason than "we can".
You have idiots with firewalls blocking access to submission yet
allowing access to webmail services.
You have idiots with firewalls blocking access to imaps/pops yet
allowing access to webmail services.
You have idiots with firewalls blocking access to ... yet allowing
https through.
As for VIOP traffic, have the originating device set TOS/TCLASS.
It really isn't that hard having set both TOS and TCLASS in the
application sometimes on a per packet basis.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org