Keith More writes:
>I don't think so in either case. The reason I don't think so is that I
>suspect the NAT traversal problem is really a firewall traversal problem
>in disguise.
Absolutely, and that is why there needs to be a permissions system that allows effective decisions to be made without the need for human administrative decisions on a case by case basis.
I described one way of doing this in my book. Devices need to authenticate themselves to the network and they need to be able to specify the precise range of services they offer and require.
If you plug a Playstation into the home network, the network security policy should be something like:
* The Playstation has unrestricted access to the Internet, including the ability to open inbound ports in the range xxx-yyy and make outbound connections to such
* The Playstation can report status via SNMP and hook into the backup sub-system
* The Playstation cannot route packets to any other device on the network under any circumstances.
I do not want to run the playstation with unrestricted network access. I certainly do not want it sending or receiving SMTP mail.
This is not just a protocol design issue, it is a platform architecture issue. I see the future as being a mixture of single purpose devices that have a specific function and can be safely granted highly restricted access with few worries and more complex multi-function platforms (computers, mobiles) that serve multiple functions are require partitioning enforced at the kernel level.
_______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf