I have read your proposal and have a few questions: a) Do you propose a DNS-Extension to use *one* name for an address pair? b) What about address triples, quadruples and so on? There could be more than one Firewall, especially in the peer-to-peer scenario. c) I would want to propose an option in the IPIP-Packet to reduce the possibility of fakes. Your scheme would be no good, if it would be possible to penetrate firewalls with it and flood internal computers, which are possibly not prepared to deal with it, because they are *not* servers, with traffic per guessed addresses. Then no sane router would route IPIP. d) Is there a protocol to make a server known to the firewall (leasing a port)? e) Is there a protocol to question a firewall for valid servers (if not per DNS as per question a)? f) Is it a good idea to introduce cryptographic options into IPIP or is it better to use IPsec instead? (with regard to c) - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
