Some applications will still require ALG functionality (or modification) to manage the state in the stateful firewall.

This is where I think the end to end mantra has lead us astray. The users do not care, they just want stuff to work despite security and other real world complexities that have been handled with ALG, SPF and NAT (I agree NAT as bodged on v4 is evil)

There might be some additional signaling required between the host and the firewall in order to let the firewall know

If v6 had allowed for indirect end to end, such as with SOCKS, then people who want ALG, SPF, NAT could do them without having to infer intent and end up breaking apps. brandon