Paul Vixie wrote:
lots of late night pondering tonight.
the anti-nat anti-firewall pure-end-to-end crowd has always argued in favour of "every host for itself" but in a world with a hundred million unmanaged but reprogrammable devices is that really practical?
The most popular applications today either prefer or require bidirectional connectivity. Peer2peer traffic is about half of total and there can be only so many "corporate sponsored" SuperNodes . Also, games and some other applications, like SIP and other VoIP stuff require to be able to connect to the remote host. Obviously you can engineer around all this but then, fixing the host is also "just software".
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or only permitted inbound UDP in direct response to prior valid outbound UDP, would rob really have seen a ~140Khost botnet this year?
Sure. One late remote exploit requires just a embedded MIDI file on a web page which MS's browser will be happy to download and "execute". Or did you think that the NAT box would allow only text based browsing and provide HTTP to Gopher translation? While you are at it, make sure all email-clients are safe and immune to viruses. Pete