[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CPEs
> >> 3. Should a host have the option of signalling to a CPE that it
> >> doesn't require any filtering?
> >
> > It would probably be useful in some scenarios.
>
> No. No, no, no. Firewalls don't care what nodes think are their
> filtering requirements. Policy is decided by the firewall
> administrator and enforced in the network middlebox.
In a "home" environment, and in fact in most SOHO environments, there is no "firewall administrator". You have at best the "reluctant administrator", i.e. the one family member charged with rebooting the router when it fails. This is the main difference between "managed" and "unmanaged" environments.
In an unmanaged environment, you really cannot assume that the policy is decided by the firewall administrator. In practice, it is placed in the box by the firewall manufacturer, and mostly left untouched by the users. So, if we assume that the firewalls will be closed by default, we can as well assume that there never will be any incoming TCP connection in the home.
Now, that may be a fine assumption. At least, it is a predictable environment. We can start from there, implement all P2P services over UDP, and design some variant of STUN to open the holes. That may well be more productive than making stern sounding statements in IETF groups...
-- Christian Huitema
- Follow-Ups:
- Re: CPEs
- From: james woodyatt <jhw@apple.com>
- References:
- CPEs
- From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: CPEs
- From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: CPEs
- From: james woodyatt <jhw@apple.com>