[Ietf-behave] Fwd: [p2p-hackers] Official IETF behavior recommendations for NATrelevant to P2P

David Barrett dbarrett at quinthar.com
Mon Jun 20 00:07:49 UTC 2005 

Pyda Srisuresh wrote:
> First off, much thanks to David for taking the time and sharing his thoughts
> with the list. We could do with more people like you, David, to give us real
> feedback from an applicaion developers' perspective. I would really appreciate
> your continued feedback and involvement on this list. Thanks again.

Ah, you're entirely welcome.  I'm glad the IETF-BEHAVE group is working 
on this topic.

And I think I was being snippy last time I wrote and suggested anything 
less than a total full-cone world was meaningless.  This is anything but 
the case.  Granted, as a P2P developer, a standardized full-cone 
Internet with fixed keepalives and so forth would be the ideal.  But 
there's a big range between where we are today and that ideal, and any 
progress along this road is most welcome.


> Unfortunately, the predominant use-case of NATs during early deployment was
> client-server apps and people were concerned mainly about hosts running the
> client apps from behind NAT. P2P apps were not as prevalent. Security was a big
> concern.
> 
> So, given the history and mindset of the NAT vendors from the past, I am sure
> you understand the reason behind the hesitation on this list.

Yes, I accept entirely the historical reasons why we are where we are 
today.  But it's frustrating from a development perspective nonetheless. 
  And security should always be a major concern.  It's just unfortunate 
when it comes at the expense of functionality.

Personally, I believe full-cone NATs provide the lion's share of the 
benefits with the fewest detriments (blocking external traffic to 
internal applications not anticipating it).  But address restricted and 
symmetric NATs offer few incremental security benefits, while many 
incremental detriments.

I believe full-cone NATs offer a excellent balance of "untargeted 
security" and functionality, and that administrators seeking more 
targeted security should purposely configure a firewall.

But I recognize that there is a diversity of opinion on the topic.

-david

More information about the P2p-hackers mailing list