On Nov 15, 2010, at 10:41 PM, Masataka Ohta wrote: > Phillip Hallam-Baker wrote: > >> You are incorrect. >> >> Firewalls can be used for many purposes. Authenticated traversal is well >> established in the firewall model. > > Given the diversity of firewalls and their operations, it's > practically impossible. Why? Firewalls are not there to block arbitrary traffic. They are there to allow the required traffic, while blocking stuff that is either an attack or violates policy. > >> There is a copious amount of prior art. > > Remember what happened to path MTU discovery. > > Just as path MTU discovery for IPv6 won't work, you can't expect > firewalls in the real world behave friendly to your own firewall > traversing protocols. Why not? While I agree that firewalls are diverse, they are all made by vendors, and the big firewall vendors all have employees who participate in the IETF. An IETF standard that allows firewall traversal for legitimate traffic is very likely to be adopted by all the vendors. It might not work with some bargain basement home router you get at Wallmart, but even they eventually get updated software. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf