Hi Dave, >If the server is telling the client who to use, then the client is >connecting out for both the data and the control channels. If they >go out different exit points on the client side, there's no problem >since both connections are initiated from the inside, right?
>Can you elaborate more on what the problematic scenario is? Sure. In case of FTP data channel, the data connection was opened by the server by default! This is called active FTP. To get around this problem, RFC1579 Firewall-Friendly FTP, documents a passive open, in this case, the client initiates a connection. For more info, please see RFC 1579. No matter it is active or passive open, the modem stateful will need to open the "hole" by listening to the control channel for "port" and "pasv" comamnd. The hole is opened only on the firewall which is dealing the control channel. If the data channel goes to another file, apparently this will not work. FTP is just a classical example of this dynamic port problem that a firewall needs to deal with. For VoiP apps such H323 and SIP, similar problem exists as well and even severe. This is because the signalling channel and media channel are totally different and destination are usually completely different. As a firewall/NAT/IDP company we've been struggling with these issues all the time. It really adds lots of complexity to the system. I just don't want to get it worse in IPv6, if not better. Hope this makes sense to you. Changming -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
