On 7/31/07 4:09 AM, "Aki Niemi" <aki.niemi@xxxxxxxxx> wrote: > Continuing on something heard at the technical plenary last week. There > were people complaining that while protocols like STUN/TURN and ICE are > traversing NAT, they are in fact bypassing firewall policies, which they > should not be doing. I think it's more complicated than that. 1) there were complaints about the difficulties caused specifically by firewalls (apart from NATs) 2) Eric said that the IETF is producing firewall traversal protocols like ICE 3) I pointed out that ICE is a NAT traversal protocol, not a firewall traversal protocol, and that a key functional difference is that NATs don't really do policy (beyond address policy) while firewalls are specifically policy devices. Where I think we differ is in what we think firewalls ought to do. While the default policy of a residential firewall probably should be something along the lines of "keep unsolicited traffic out," enterprise policies tend to be and should be a lot richer. STUN and ICE effectively work by side-effect, creating NAT table mappings simply by passing data across the NAT. In the firewall case you really must allow the firewall the possibility to say "no," and you should give the firewall the data it needs to make an informed decision. That data might include application identification, user credentials - whatever information is used as the basis for a policy decision. It's also nice if you're able to tell the application that its request has been denied so that it can fail and/or recover gracefully. I also think the assumption that any media flows across a firewall ought to be allowed is questionable, but that's a somewhat different matter. Melinda _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf