Steven M. Bellovin wrote:
More of his measurements concluded that at least 56% of hosts are behind a firewall that blocks by default.
It should be pointed out here that the problems introduced by NATs are not quite the same as problems introduced by firewalls. While they both impair reachability NATs cause NATted hosts to be unable to determine their own address (or indeed to have an addressable presence at all without initiating contact with another host). In any event I think that it's a mistake to assume that a firewall or NAT can inspect or rewrite the contents of a data stream. I'm not sure that it's a good idea for the IETF to tacitly (or otherwise) discourage encryption or authentication. I'm sort of "meh" on the idea of a mandatory firewall/ NAT/middlebox/filters section in protocol documents. I'm not sure that there's a widespread problem that it would solve. In the case where there is a problem, like this one, sharp eyes tend to catch it early. We have mandatory security sections because securing a particular protocol can be subtle and idiosyncratic because of trust relationships and operating environment, and firewall/NAT problems tend to be pretty much the same from protocol to protocol with hard problems cropping up in a small number of cases. Melinda _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf