In message <6461D9C5-8B0B-42D3-9877-32DB3E6150C6@xxxxxxxxxxxxxxxxxx>, Eric Burger writes: > > I am concerned with the drive to make all traffic totally opaque. I'll be > brief: we have an existence proof of the mess that happens when we make > all traffic look benign. It is called "everything over port 80." That > `practical' approach drove the development of deep packet inspection, > because everything running over port 80 was no longer HTTP traffic. It > meant we could no longer prioritize traffic (in a good sense - *I* want > to make sure my VoIP gets ahead of my Web surfing ahead of my FTP). It > meant we could no longer apply enterprise policy on different > applications. It drove `investment' in the tools that today dominate > pervasive monitoring. > > Good job folks for unintended consequences. And everyone went to port 80 because people put up blocks for other ports often for no other reason than "we can". You have idiots with firewalls blocking access to submission yet allowing access to webmail services. You have idiots with firewalls blocking access to imaps/pops yet allowing access to webmail services. You have idiots with firewalls blocking access to ... yet allowing https through. As for VIOP traffic, have the originating device set TOS/TCLASS. It really isn't that hard having set both TOS and TCLASS in the application sometimes on a per packet basis. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx