[e2e] Internet Draft and survey on P2P in the presence of NAT
Melinda Shore
mshore at cisco.com
Wed Apr 9 17:10:39 PDT 2003
> as they want, making the NAT functions of NAT/firewall boxes obsolete, that
> won't make the firewall part obsolete. Individuals and corporations alike
> will still install firewalls and configure them to block all
> apparently-unsolicited incoming TCP or UDP connections, because doing so
> simply makes good security sense and reduces practical vulnerability even if
> it is far from an end-all security solution. And as long as firewalls are
> blocking incoming connections, tricks like UDP hole punching or the use of
> protocols like UPNP or MIDCOM will be needed in order to make P2P
> applications work.
Midcom/UPnP doesn't really solve the incoming connection
problem, even for firewalls. There's an implicit assumption
that you've got something listening at an accessible port/
address, and that thing communicates with the firewall or
NAT to request pinholes. That model makes a lot of sense
for applications like telephony but doesn't work as well for
peer-to-peer applications.
One notion that's gaining some currency is to rely on the
use of host-based firewalls that participate in a
centralized policy system. Obviously that doesn't solve the
NAT problem and it doesn't completely obviate the use of
perimeter firewalls, which will continue to be used for a
variety of very wrong and occasionally somewhat right
reasons. While it introduces a new set of problems (rich
policy expression, interdomain issues, etc.) I think it can
be made to play a little more nicely with perimeter
firewalls.
Melinda
More information about the end2end-interest
mailing list