[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Headers



On Wed, 26 Feb 2003, Brian E Carpenter wrote:

> > > I would rather have the firewalls take part in the session
> > > establishment procedure.

> > Wouldn't this preclude fault tolerance? I mean what happens if this path
> > is broken and the communication is re-routed through another firewall? I
> > mean this would introduce some of the issues of NAT.

> Correct, or more generally the issues of any stateful middlebox.

Note that we are not requiring firewalls; other people are. If they fail
to require these boxes to handle the necessary state the right way,
that's their problem.

If a firewall is made part of the whole process at least we get to
implement some hooks for restoring the state if said firewall breaks.

> The Internet doesn't have sessions, so middleboxes shouldn't
> have session state.

If you want to be completely stateless, you need to include all the
identifying information in each packet. But this information is easily
spoofed, so you need additional authentication data. (Can't use IPsec
here as that has state.)

Fortunately, not much communication is stateless by necessity, it's just
implemented over stateless primitives because that has some advantages.

I wouldn't be against a situation where we have a stateful multihoming
protocol with low per-packet overhead and a stateless multihoming
protocol where everything is inside a single packet. However, I would be
against a multihoming solution where stateful protocols carry
information in each packet that is implied by the session state.