On 2/14/08 9:58 AM, "Iljitsch van Beijnum" <iljitsch@xxxxxxxxx> wrote: > Disagree. There is no reason why a stateful firewall would have an > easier time tracking UDP state than any other non-TCP state when there > is no address translation. There's just a lot more experience with UDP than there is with some other non-TCP protocols. Engineers have been more motivated to deal with it than they have with, say, SCTP. But anyway, firewalls solve a different problem from NAT. NAT has incidentally been used as a policy device but a firewall really is a policy device. So, while it might be reasonable to say "I need to figure out how to get across a NAT," it would also be reasonable to say "I need to figure out how to get across a firewall without violating access policy." You definitely do not want to design a mechanism that enables policy violation. Melinda _______________________________________________ Ietf@xxxxxxxx http://www.ietf.org/mailman/listinfo/ietf