RE: MBONE access?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > Equally flawed and useless are the H.323 protocols that do not
> > tunnel through NAT or even work with a firewall in a remotely 
> > acceptable fashion.
> 
> NAT is the big bad dog here, that is what breaks the
> end to end connectivity. <restart NAT war />

In case you had not noticed there are now tens of millions of NAT
devices in use. End users are not going to pay $10 per month for
an extra IP address when they can connect unlimited numbers of 
devices to the net using a $40 NAT box.

The NAT war has been over for years, NAT won. The problem is that
the IETF still has not come to terms with that fact.

The Internet was designed to be a network of networks. The core
architecture is NOT end-to-end, that is a political shiboleth that
has been imposed later.

The features of the Internet that work are the ones that work within
the end-to-end model. The features that are failures are the ones
where the end-to-end model is bogus.

The security world has long since realised that exclusive relianance
on end-to-end security is bogus. I don't know of any serious security
professionals who now claim that firewalls are bogus or that they 
will go away as the myth has it. Perimeter security is here to stay.

In the case of H323 the problem is not just NAT, it is the derranged 
protocol which uses a block of 3000 odd TCP/IP ports to receive
messages on. there is no way that this is consistent with good
firewall management - unless you go to some pretty sophisticated 
additional control to open up and shut down the ports as required.

As for IPv6, the only feasible way to deploy it is by co-opting those
NAT boxes.

		Phill



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]