On 23-jul-2007, at 15:00, Jeroen Massar wrote:
I am actually starting to believe that we really need a secure protocol ala uPnP for requesting 'privileges' for sending packets over a networkborder, current NAT boxes/gateways.
Lets say I am sitting behind my laptop, and I want to go to www.wikipedia.org (http over tcp, port 80) then my host should 'ask' a$device on the network if I am allowed to make a TCP connection to port80 of www.wikipedia.org. $device in the network then gives me a tagsaying 'here you go' and distributes this tag also to the firewalls thatare in the network to allow traffic tagged with this through.
Long, long ago in a galaxy far, far away we tried to come up with a way to do scalable multihoming for IPv6. One of the approaches I came up with (yes, I came up with several, as did a bunch of other people, we had 30+ active drafts at one point) (although I think I never wrote a draft for this one) was:
Make middleboxes part of the architecture. Those middleboxes would then be able to do pretty much what shim6 does, and a lot of other things. One of those things would be limiting access to the outside world based on the application and application version. So if today there's a new vulnerability in your favorite browser, tomorrow that browser can't connect to the rest of the world but only to favoritebrowserupdate.com. Another feature that you get for free is translation between IPv4 and IPv6.
If you squint a bit you may notice that using a proxy pretty much gives you this in a more ad-hoc way.