begin quoting Andrew Lentvorski as of Mon, Apr 17, 2006 at 08:57:31PM -0700: > Stewart Stremler wrote: > >I'm trying to say (and not well, it seems) that any pain suffered by > >making NAT work with a reasonable protocol is _exactly_ _the_ _same_ _pain_ > >as making that protocol work with a default-deny protocol: you have to > >go poke the device to say "let connections through to _this_ machine at > >_this_ port". Consequently, NAT is just one extra step, or, if you > >have your firewall assume the responsibility, it's not even that. > > Not everyone wants "default deny all outbound" on their network.
True. But if we're designing systems that won't work with such a policy on the firewalls, that sort of policy is essentially *dead*. The choice is taken away from me, while protocols that *do* work with such firewalls don't impose that sort of constraint on anyone else. > That's a religious issue. We are going to have to agree to disagree. Heh. Fair 'nuff. > >And UDP packets are dropped before TCP packets anyway. (I suppose that > >might result in lots more retries and resends, because acknowledgements > >won't get through... but any router that has a congestion problem has > >an easy solution: drop more UDP packets. No more congestion.) > > Can I get a reference? I haven't heard of routers dropping UDP in > preference to TCP. That would require packet inspection. Now, UDP > won't retry, but that doesn't mean that the routers choose TCP over UDP. I've been looking, and I can find neither the notes nor the reference book. You're probably right, and I'm misremembering, and it was an effect, not a decision. If I can find my notes on the topic, I'll follow up. (Too. Much. Junk.) [snip] > Now, I can certainly question the validity of those numbers, but it > seems to be in the right ballpark. The issue is that torrents move a > *lot* of data. The fact that ISPs are buying expensive traffic shaping > boxes indicates that this is indeed large enough to notice. Hm... I see. Of course, Tracy often has some interesting comments on torrents... they aren't as useful for him as one would expect. > >TCP is hard to replace ... you end up implementing something that looks > >an awful lot like TCP. > > Absolutely. It looks like TCP but goes through NATs. Good enough. UDP doesn't go through NATs any better than TCP does. Same issues apply. I must be missing your point here. > And we all know what happens when something is "good enough". Heh. Yup. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
