Re: IESG position on NAT traversal and IPv4/IPv6
Yoav Nir <ynir@checkpoint.com> Tue, 16 November 2010 11:18 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 348BE3A6DC7 for <ietf@core3.amsl.com>; Tue, 16 Nov 2010 03:18:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.47
X-Spam-Level:
X-Spam-Status: No, score=-6.47 tagged_above=-999 required=5 tests=[AWL=4.129, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8hN3oBHOaoL for <ietf@core3.amsl.com>; Tue, 16 Nov 2010 03:18:34 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id F1EF73A6ACE for <ietf@ietf.org>; Tue, 16 Nov 2010 03:18:33 -0800 (PST)
X-CheckPoint: {4CE265AA-1-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id oAGBJEQv007340; Tue, 16 Nov 2010 13:19:14 +0200
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.254.0; Tue, 16 Nov 2010 13:19:14 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Tue, 16 Nov 2010 13:19:13 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Tue, 16 Nov 2010 13:19:11 +0200
Subject: Re: IESG position on NAT traversal and IPv4/IPv6
Thread-Topic: IESG position on NAT traversal and IPv4/IPv6
Thread-Index: AcuFgBirPFwB6ZpJS8uU/L8zVxP2NQ==
Message-ID: <FF22F332-DF18-4D83-95AD-40B5F6961BFF@checkpoint.com>
References: <F443844F-67B6-418F-9E32-B2F498686650@acmepacket.com> <4CE0F9D9.2050002@ericsson.com> <4CE1228F.3090409@piuha.net> <4CE12517.4080908@necom830.hpcl.titech.ac.jp> <AANLkTinW7auVw8EB+v4_WXiHPDxoRiyhmYPaLZ98uie-@mail.gmail.com> <4CE19AEB.5020307@necom830.hpcl.titech.ac.jp>
In-Reply-To: <4CE19AEB.5020307@necom830.hpcl.titech.ac.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Phillip Hallam-Baker <hallam@gmail.com>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2010 11:18:35 -0000
On Nov 15, 2010, at 10:41 PM, Masataka Ohta wrote: > Phillip Hallam-Baker wrote: > >> You are incorrect. >> >> Firewalls can be used for many purposes. Authenticated traversal is well >> established in the firewall model. > > Given the diversity of firewalls and their operations, it's > practically impossible. Why? Firewalls are not there to block arbitrary traffic. They are there to allow the required traffic, while blocking stuff that is either an attack or violates policy. > >> There is a copious amount of prior art. > > Remember what happened to path MTU discovery. > > Just as path MTU discovery for IPv6 won't work, you can't expect > firewalls in the real world behave friendly to your own firewall > traversing protocols. Why not? While I agree that firewalls are diverse, they are all made by vendors, and the big firewall vendors all have employees who participate in the IETF. An IETF standard that allows firewall traversal for legitimate traffic is very likely to be adopted by all the vendors. It might not work with some bargain basement home router you get at Wallmart, but even they eventually get updated software.
- IESG position on NAT traversal and IPv4/IPv6 Hadriel Kaplan
- Re: IESG position on NAT traversal and IPv4/IPv6 Phillip Hallam-Baker
- Re: IESG position on NAT traversal and IPv4/IPv6 Gonzalo Camarillo
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Jari Arkko
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Noel Chiappa
- Re: IESG position on NAT traversal and IPv4/IPv6 Hadriel Kaplan
- Re: IESG position on NAT traversal and IPv4/IPv6 Phillip Hallam-Baker
- Re: IESG position on NAT traversal and IPv4/IPv6 Phillip Hallam-Baker
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Martin Rex
- Re: IESG position on NAT traversal and IPv4/IPv6 Brian E Carpenter
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Yoav Nir
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Martin Rex
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Tadayuki HATTORI
- Re: IESG position on NAT traversal and IPv4/IPv6 Martin Rex
- RE: IESG position on NAT traversal and IPv4/IPv6 David Harrington
- RE: IESG position on NAT traversal and IPv4/IPv6 Noel Chiappa
- Re: IESG position on NAT traversal and IPv4/IPv6 Masataka Ohta
- Re: IESG position on NAT traversal and IPv4/IPv6 Tadayuki HATTORI
- RE: IESG position on NAT traversal and IPv4/IPv6 Worley, Dale R (Dale)