Hi,
Yes, understood and agreed.
For a client vendor/implemeter it's an interesting dilemma
whether to
support something like HTTP/TLS "tunneling". On
one hand it would make
your client work in more environments (users would typically
see this as
a good thing), while on the other hand you are giving tools
to break
network policies (enterprise/network admins see this as a
bad thing).
Markus
>-----Original Message-----
>From: ext Melinda Shore [mailto:mshore cisco.com]
>Sent: 12 June, 2007 00:00
>To: Isomaki Markus (Nokia-SIR/Espoo); behaveietf.org;
Dan Wing
>Subject: Re: [BEHAVE] NAT control and STUN - some
thoughts
>
>On 6/11/07 4:07 PM, "Markus.Isomakinokia.com"
><Markus.Isomakinokia.com>
>wrote:
>> - As methodologies such as ICE and real-world
applications such as
>> Skype or GoogleTalk have shown, NAT/FW traversal
*can* be done
>> relatively effectively in general.
>
>One quick point - Skype in particular works by bypassing
>firewall access control decisions, and that isn't a good
>thing. This is one area in which the distinction
between
>firewall and NAT matters a great deal. Firewalls
enforce
>access policies, occasionally very complex access
policies.
>NATs, to the extent they deal with policy at all, deal
with
>address policy, and in the pure NAT case you're not
dealing
>with authorization questions as you are with firewalls.
>
>Anything that goes through a firewall without giving the
>firewall adequate opportunity to say "yes" or
"no" is probably
>not okay, and consequently it's important to draw
distinctions
>between firewalls and NATs in this context.
>
>Melinda
>
>
_______________________________________________
Behave mailing list
Behaveietf.org
https:/
/www1.ietf.org/mailman/listinfo/behave
|