[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <200704111052.05934@auguste.remlab.net> <F26D69F6-8BEE-4D3D-A5B4-C730E9975DA1@apple.com> <200704112214.30985@auguste.remlab.net> <F65A3EA3-3E07-4C63-A4FF-C94832D556FC@apple.com> <70C6EFCDFC8AAD418EF7063CD132D06404352E36@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <courier.46248EB6.00006E0C@softhome.net> <1F310BCB-2EE0-441B-BB2F-67DF3EA6ABF4@apple.com> <AC0FBA28-A14B-466E-B1D6-16E4F4EB2036@muada.com> <1139442A-99C2-458D-A7ED-0833D3CFE358@apple.com> <0829DAE3-60A9-4918-8834-715B93665D39@muada.com> <02bd01c783b9$959b7490$c0d25db0$@net> <" C 118670B-0796-41EE-8D7F -5BA88D885255"@apple.com> <013201c7884a$ddd093e0$9971bba0$@net> <CF278F61-4C88-4C01-A8AC-0B2E77D8FD7C@apple.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <96847E97-3DED-45A6-A9D2-805C4C9BF6EE@cisco.com>
Cc: IETF V6OPS WG <v6ops@ops.ietf.org>
Content-Transfer-Encoding: 7bit
From: Fred Baker <fred@cisco.com>
Subject: Re: application listener discovery in the presence of stateful firewalls
Date: Sat, 28 Apr 2007 23:10:31 -0700
To: james woodyatt <jhw@apple.com>
X-Mailer: Apple Mail (2.752.3)
Return-Path: fred@cisco.com
X-OriginalArrivalTime: 29 Apr 2007 06:10:30.0788 (UTC) FILETIME=[17038C40:01C78A25]
On Apr 26, 2007, at 6:34 PM, james woodyatt wrote:
> My biggest worry about IPv6 is that transition may be slowed or
> even halted because of the basic problem that applications which
> work over IPv4/NAT today can't be made to work over IPv6 too,
> without still deploying ALG's everywhere and/or developing the
> moral equivalent of UPnP IGD and NAT-PMP (minus the UNSAF aspect).
I find that a surprising statement. Maybe you can fill me in?
if an application resides in two systems on the same LAN, or in two
systems behind the same ALG, they demonstrably don't need the ALG to
operate. So what the ALG does is enable them to transit a firewall or
other barrier that the protocol will not.
What would those be?
I can think of some that are erected for administrative reasons.
Examples include SIP Proxies, which in a NAT world provide a NAT
traversal strategy and in a stateful firewall world provide the
transit of the stateful firewall. Since a stateful firewall generally
allows an interior system to send a datagram out and get a datagram
in response, these would be about letting a datagram *in* under the
right circumstances. I'll conjecture that in many cases it might be
accomplished by triggering the interior device to send a datagram out.
What *other* ALGs do you see?