[e2e] Internet Draft and survey on P2P in the presence of NAT

Melinda Shore mshore at cisco.com
Wed Apr 9 17:10:39 PDT 2003


> as they want, making the NAT functions of NAT/firewall boxes obsolete, that 
> won't make the firewall part obsolete.  Individuals and corporations alike 
> will still install firewalls and configure them to block all 
> apparently-unsolicited incoming TCP or UDP connections, because doing so 
> simply makes good security sense and reduces practical vulnerability even if 
> it is far from an end-all security solution.  And as long as firewalls are 
> blocking incoming connections, tricks like UDP hole punching or the use of 
> protocols like UPNP or MIDCOM will be needed in order to make P2P 
> applications work.  

Midcom/UPnP doesn't really solve the incoming connection
problem, even for firewalls.  There's an implicit assumption
that you've got something listening at an accessible port/
address, and that thing communicates with the firewall or
NAT to request pinholes.  That model makes a lot of sense
for applications like telephony but doesn't work as well for
peer-to-peer applications.

One notion that's gaining some currency is to rely on the
use of host-based firewalls that participate in a
centralized policy system.  Obviously that doesn't solve the
NAT problem and it doesn't completely obviate the use of
perimeter firewalls, which will continue to be used for a
variety of very wrong and occasionally somewhat right
reasons.  While it introduces a new set of problems (rich
policy expression, interdomain issues, etc.) I think it can
be made to play a little more nicely with perimeter
firewalls.

Melinda




More information about the end2end-interest mailing list