> Disagree. There is no reason why a stateful firewall would have an > easier time tracking UDP state than any other non-TCP state when there > is no address translation. I believe the point here is that a stateful firewall installs a binding based on an initial packet from INSIDE the firewall, and removes the packet after some inactivity timer expires, and not based on any notion of UDP state (!). So the point is not whether a stateful firewall can track UDP state (!) more easily than other non-TCP state, it's that firewall vendors have decided to punt on UDP and just run a timer, but they have not decided to punt on all non-TCP transport protocols in the same way. Ignoring the whole "trusted inside/untrusted outside" model for now, of course. Spencer _______________________________________________ Ietf@xxxxxxxx http://www.ietf.org/mailman/listinfo/ietf