Re: IPv6-PMP?

[Fred Baker <fred@cisco.com>]

On Apr 10, 2007, at 5:45 PM, Rémi Denis-Courmont wrote:

> So... there seems to be a need for a mechaninism to open pinholes  
> (I do
> not expect the average user be able to do that).
>
> The hot debate around ICE & ANAT on MMUSIC at last IETF also hinted at
> IPv6 stateful firewalls, very much like IPv4 (though of course there
> should be no address/port translation).

of course there will be stateful firewalls.

I compare this to the health management system of the human body.  
Apart from blood loss and things like that, the mechanisms that keep  
the body healthy would mostly do so without the skin. But the skin  
makes it ever so much more effective.

Firewalls that permit the end to end principle to remain in force are  
a good thing for networks. Where the so-called "personal firewall" on  
a desktop/laptop protects the system, the firewall protects the  
investment in the network and provides a second layer of defense for  
the host.

Doesn't SOCKS/GSSAPI open pinholes in firewalls?

And the stateful firewalls I am most familiar with actually open  
pinholes automagically. They observe SYN-etc messages going out and  
open pinholes for the responses. Where one needs to do more is with  
protocols where the originatig message is incoming. I would expect  
(in keeping with the stateful firewalls I am most familiar with) that  
this is done with an access list that allows SMTP to the incoming  
mail server, WWW to the web server, and so on. A SIP proxy can  
similarly open a pinhole for a SIP data call.