On Tue, Oct 02, 2007 at 10:33:43PM +0200, Iljitsch van Beijnum wrote:
On 2-okt-2007, at 16:10, Stephen Sprunk wrote:
You can't trust the OS (Microsoft? hah!), you can't trust the application (malware), and you sure as heck can't trust the user (industrial espionage and/or social engineering). The only way that address-embedding protocols can work through a firewall, whether it's doing NAT or not, is to use an ALG.
You assume a model where some trusted party is in charge of a firewall that separates an untrustworthy outside and an untrustworthy inside. This isn't exactly the trust model for most consumer networks.
Err, it is. Really, it is. Residential-grade customers employ trusted parties like "DLink", "Alloy", "Alcatel", "Linksys", and various others to be in charge of the firewall that separates the untrustworthy internet from their inside network. Corporate-grade customers employ trusted parties as staff. SMEs are somewhere in between, often substituting their ISP as a proxy for "staff." Ether way you cut it, the model you've just dismissed is _exactly_ the way the real world works.
Also, why would you be able to trust what's inside the control protocol that the ALG looks at any better than anything else?
You can't. So if the control protocol can possibly do anything bad, the firewall administrator says, "Well, can't let this take control of my network, I'll just block it." ... which breaks end-to-end reachability every bit as effectively as a NAT box does, regardless of whether or not the firewall employs NAT. Which is why various correspondents in this thread have repeatedly pointed out that any assertion that an IPv6 Internet is going to be any more end-to-end than an IPv4 Internet is delusional.
The defense and healthcare industries will force vendors to write those ALGs (actually, make minor changes to existing ones) if they care about the protocols in question because they have no choice -- security is the law.
Seems to work well, that law.
But these people don't complain when their video streaming/chatting doesn't work out of the box.
<splutter> Oh yes they do. You better believe it. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223