On Thu, 21 Dec 2000, Harald Alvestrand wrote:
> At 09:47 19/12/2000 -0800, Mike Fisk wrote:
> >It's an argument of semantics, but I prefer to say that we're separating
> >transport-layer end-to-end from application-layer end-to-end. Make
> >applications explicitly terminate transport connections at gateways. So
> >what is now a connection from me to you across a NAT and a proxy-ing
> >firewall would be come a session-layer connection from me to you served by
> >transport connections from me to the NAT, from the NAT to the proxy, and
> >from the proxy to you.
>
> these are called "application layer gateways", and exist in droves already.
> Most firewalls implement them, in addition to NAT and packet filters.
Yes, I was being slightly more general to include other gateways that
don't necessarily operate at the application layer:
TCP-splicing/spoofing, NAT, SOCKS, etc.
The problem is that the protocol mechanisms to discover and use these
gateways are piecemeal and inadequate. That leads many of them to be
implemented "transparently" which breaks protocols that don't know there's
a gateway.
--
Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab
See http://home.lanl.gov/mfisk/ for contact information
