In message <9A2BB5EF-A137-439D-81AF-40B784D541A9@xxxxxxxxx>, Iljitsch van Beijn um writes: >On 7-sep-2005, at 0:16, Daniel Senie wrote: > >> Actually, a "Firewall Considerations" section would make sense. > >What would be in such a section? There are only three possibilities: > >1. There is no firewall: no need for text. >2. There is a firewall, and it doesn't try to block the protocol: no >need for text. >3. There is a firewall, and it tries to block the protocol. > >So what text would be helpful in case #3? Either the firewall >successfully blocks the protocol and the firewall works and the >protocol doesn't, or the firewall doesn't manage to block the >protocol and the protocol works but the firewall doesn't. So whatever >happens, someone is going to be unhappy. > Not at all. Often, a firewall needs to know a fair amount about the protocol to do its job. FTP is the simplest case -- it has to look for the PORT (and, in some configuration, the PASV) command. H.323 and SIP are more complex. But for complex protocols, we need to go a step further. SIP has, built-in, provision for gateways. There are a number of reasons for this, but firewall friendliness is certainly one of them. The proper question is this: would adding something to the protocol enable it to operate properly in the presence of a firewall *without* subverting site security policy. The lack of that latter consideration has led to people using http as the universal firewall traversal protocol, with the obvious bad side-effects. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf