> > Equally flawed and useless are the H.323 protocols that do not > > tunnel through NAT or even work with a firewall in a remotely > > acceptable fashion. > > NAT is the big bad dog here, that is what breaks the > end to end connectivity. <restart NAT war /> In case you had not noticed there are now tens of millions of NAT devices in use. End users are not going to pay $10 per month for an extra IP address when they can connect unlimited numbers of devices to the net using a $40 NAT box. The NAT war has been over for years, NAT won. The problem is that the IETF still has not come to terms with that fact. The Internet was designed to be a network of networks. The core architecture is NOT end-to-end, that is a political shiboleth that has been imposed later. The features of the Internet that work are the ones that work within the end-to-end model. The features that are failures are the ones where the end-to-end model is bogus. The security world has long since realised that exclusive relianance on end-to-end security is bogus. I don't know of any serious security professionals who now claim that firewalls are bogus or that they will go away as the myth has it. Perimeter security is here to stay. In the case of H323 the problem is not just NAT, it is the derranged protocol which uses a block of 3000 odd TCP/IP ports to receive messages on. there is no way that this is consistent with good firewall management - unless you go to some pretty sophisticated additional control to open up and shut down the ports as required. As for IPv6, the only feasible way to deploy it is by co-opting those NAT boxes. Phill