On Thu, Jul 19, 2001 at 09:01:17AM +1200, Don Stokes wrote: Mostly it breaks in places where protocol layering is violated (e.g. putting a network address in the application layer), in which case it's going to break when you go to IPv6 (or any other protocol) anyway. Well, for that there are even more evil hacks such as protocol helps most commonly for things like FTP and RTSP. The anal wanted-to-be-a-research-scientist-but-the-money-sucked retentive part of me finds the fact these systems are required to keep state in the middle of the connection disgusting. It's because of things you get timeouts and other such funnies caused by this horrible often poorly written state-machine in the middle trying to second guess the state of the two ends. TCP in particular was designed with a reasonable degree of care to ensure that you can mathematically validate various principals. To do so, there is logic which allows one state-machine to resynchronize if the other other one gets hosed, and for both state-machines to stay synchronized under a wide range of conditions. NAT completely stuffs this up. The most obvious example of this is TCP sessions die when they either time out or the NAT device looses state (e.g. nasty Nokia DSL modem crashes because it doesn't like packets with various '1323 extensions under load). It also doesn't work very well for peer-to-peer comms. But peer-to-peer comms are a problem when setting up any kind of firewall anyway. Firewalls are evil too. Arguably a necessary evil forced upon the world by legions of terrible application programmers and moderately inept system administrators, and also the fact that most of the critical protocols presently in use were designed during a much friendly Internet[1]. By biggest objection with firewalls and NAT devices is that the majority of the commercial ones out there suck. Checkpoint Firewall-1 is IN MY OPINION a terrible product. It's quirky, slow, extremely resource hungry, terribly buggy, with abysmal support quality. However, as almost everything else 'brand-name' commercially available is even worse, its very popular despite being horrendously expensive. The NAT implementation in cisco routers often supports only the most basic protocol helpers such as FTP, is again often buggy (heresy, I know, claiming IOS has bugs) and leaks memory like a sieve. If anyone has a Nokia DSL modem and spend a lot of time behind it with ssh session open, then you'll probably have noticed they crashed fairly often too. nmap will drop them dead too. Ironically, the average FreeBSD or Linux box is much quicker, cheaper, far less buggy, less resource intensive and has effectively much better support. Anyhow, this is getting way off topic.... --cw [1] Was it Vixie who said, "I want my old Internet back!" ??? --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog