Hi all, I've been working on a paper describing some measurements we did to determine how many TCP and UDP sessions residential broadband users consume for the purpose of evaluating the likely impact of Service Provider (or Carrier Grade) NAT. After submitting the paper to a journal I received an interesting comment from a reviewer: "It is not uncommon to see transparent but stateful firewalls in ISPs (without NATs) today - to avoid DoS attacks. These firewalls do a job similar to SPNATs. What is the state maintenance and processing overhead in these firewall deployments? Can we reuse any lessons from them?" The questions I have: Is that initial statement correct? Is there anyone out there who is using (or knows anyone who is using) a stateful firewall in such a fashion? Any responses off-list would be more than welcome. Thanks, Shane Alcock WAND