On 28 Jan 2003 09:50:53 +0200, Timo Sirainen wrote: > With stateful firewalls or NATs each connection would require at least > some memory and CPU. I didn't mean they'd necessarily cost much, but > they're not free either.
I do not believe that people should architect protocols or software implementations to compensate for the limitations of firewalls and NATs. Rather, it is up to the vendors of firewalls and NATs to build products that can accomodate the protocols and software that the firewall/NAT will carry. Otherwise, firewalls and NATs will presently fall by the wayside. Such an outcome would probably be a good thing; I suspect that the majority of firewall and NAT installations are spurious security "answers" by people who didn't ask the right questions. Phil Karn debunked the myth of "expensive TCP connections" back in the days when a PC was an 8088 and a 640K machine was big. Today, what is the incremental cost of RAM to accomodate an additional TCB? Some number of milli-cents? Micro-cents? Ditto CPU, now that we're measuring processor instruction times in picoseconds instead of nanoseconds.
