In message <[EMAIL PROTECTED]>, Iljitsch van Beijn
um writes:
>On 7-sep-2005, at 0:16, Daniel Senie wrote:
>
>> Actually, a "Firewall Considerations" section would make sense.
>
>What would be in such a section? There are only three possibilities:
>
>1. There is no firewall: no need for text.
>2. There is a firewall, and it doesn't try to block the protocol: no
>need for text.
>3. There is a firewall, and it tries to block the protocol.
>
>So what text would be helpful in case #3? Either the firewall
>successfully blocks the protocol and the firewall works and the
>protocol doesn't, or the firewall doesn't manage to block the
>protocol and the protocol works but the firewall doesn't. So whatever
>happens, someone is going to be unhappy.
>
Not at all. Often, a firewall needs to know a fair amount about the
protocol to do its job. FTP is the simplest case -- it has to look for
the PORT (and, in some configuration, the PASV) command. H.323 and SIP
are more complex.
But for complex protocols, we need to go a step further. SIP has,
built-in, provision for gateways. There are a number of reasons for
this, but firewall friendliness is certainly one of them. The proper
question is this: would adding something to the protocol enable it to
operate properly in the presence of a firewall *without* subverting
site security policy. The lack of that latter consideration has led to
people using http as the universal firewall traversal protocol, with
the obvious bad side-effects.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
Ietf mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/ietf
