Re: Why?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Another concern I have is that, in an IPv6-only world, even if you eliminate NAT, there will still be firewalls, and those firewalls will frequently have the property that they block traffic coming from the outside to a particular IP/port on the inside unless an outbound packet has been generated from the inside from that IP/port. This means that IP addresses are not globally reachable. You'd still need most of the same solutions we have on the table today to deal with this problem. Indeed, in the VoIP space, I believe you'd need pretty much everything, excepting you'd be able to remove a single attribute from a few of the protocols (STUN and TURN in particular), which tell the endpoint its address on the other side of the NAT. The endpoint knows its address, but all of the protocol machinery is still needed to rendezvous with the other participant in the call.

I think this is why we chartered MIDCOM in the first place.

MIDCOM has always seemed like the wrong direction to me. We don't need a way for apps to open up holes in firewalls, because that makes firewalls useless for dealing with rogue apps. And while there is still some utility to be gained from perimeter defenses, the notion of firewalls as a primary defense against attack is anachronistic at best (and that's being kind).


What we need is an architecture for multilayered defense that allows centralized policy specification (which is merged with host policy) and which is application-aware.


_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]