On Wed, Apr 21, 2010 at 4:12 AM, Edward Ned Harvey <lop...@nedharvey.com>wrote:
> > From: Colm Buckley [mailto:c...@tuatha.org] > > > > There's nothing about P2P applications which requires an open firewall; > > If you're behind a firewall, which blocks inbound unknown connections, > And I'm behind a firewall, which blocks inbound unknown connections, > > Then how do you propose you and I can communicate p2p? It's only possible > via techniques such as NAT traversal and STUN, which will only work on > braindead firewalls. > I think we may be differing on the meaning of "unknown". If the firewall is configured not to allow P2P traffic, then there is no way to use these protocols. If, however, the network administrator does allow P2P traffic (either by requiring proxy authorisation, or simply opening the relevant ports), then it becomes trivial. It doesn't mean that the firewall needs to open "unknown" connections; what do you mean by the term "unknown"? If the intention is to allow P2P traffic, then it's vastly easier on IPv6 where the IP address of the endpoint is consistent everywhere; there's no need either for ugly external to internal port/IP mappings, nor for hacky reflector or STUN setups. RFC3041, first of all, is client-based. It doesn't allow a sysadmin to mask > the internal network topology; it's up to all the internal clients to do it > voluntarily. > Yes; this is true. I don't really see that it's important, though. It's client security which is important; subnets and the like don't actually have an existence apart from the clients which exist on them. > And second of all, that just means the clients' IP address will change. It > doesn't mask the network topology. If some outside person does a > traceroute, it will work perfectly well, identifying all the intermediate > routers necessary to reach your internal node. > Well, sure, but why is this a problem? It's always possible to block the relevant bits of ICMP at the border firewall if you're really concerned about not releasing the IP addresses of your internal routers; this would be preferable than breaking the underlying addressing model of IP using NAT. NAT is basically an ugly hangover from the days of short address space and lazy firewall design; it's always caused far more problems than it solves. The IPv6 model is basically that every device has an address which is either reachable through the relevant firewalls, or not. Everything becomes simpler under this model; take a look at the ludicrously overcomplicated topology of your average multisite VOIP or VC network, with reflectors, gatekeepers and the like, or the hacks which nearly everyone has at their border firewall to map particular DMZ ports through to internal ports, fragile though that be. The point of RFC3041 is not masking your network topology. It's making your > laptop not uniquely identifiable or trackable. > > Have you read it? It doesn't sound like you have. > Read it, set it up, using it right now. Colm -- Colm Buckley / c...@tuatha.org / +353 87 2469146
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
