[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPE equipments and stateful filters



On 24-jul-2007, at 11:31, Rémi Denis-Courmont wrote:

By the way, to amend James's slideset, only UDP really works with ICE (or any
form of hole punching), while TCP works to a very-lesser extent, and
everything else does not: DCCP, SCTP, IPsec...

Why?

An important issue about the hole punching is the shape of the hole. If the hole has the shape of a particular transport session, you're not accomplishing much because you still can't receive arbitrary incoming sessions. If the hole is for a transport session with a wildcard at the remote end, you still need to understand the transports well enough to catch them. If the hole is IP-shaped, life is easy but then there are only two flavors: completely closed and completely open. That means only hosts that can do all their own filtering could safely open up a hole.