> -----Original Message----- > From: Changming Liu [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 04, 2004 2:14 PM > To: Dave Thaler; Changming Liu > Cc: '[EMAIL PROTECTED] ' > Subject: RE: v6 host load balancing > > Hi Dave, > > >If the server is telling the client who to use, then the client is > >connecting out for both the data and the control channels. If they > >go out different exit points on the client side, there's no problem > >since both connections are initiated from the inside, right? > > >Can you elaborate more on what the problematic scenario is? > > Sure. In case of FTP data channel, the data connection was opened by the > server by default! This is called active FTP. To get around this problem, > RFC1579 Firewall-Friendly FTP, documents a passive open, in this case, the > client initiates a connection. For more info, please see RFC 1579.
Yes I'm aware of both modes. Since you mentioned the server told the client what server to use, I assumed you were talking about passive mode, which is what I was responding to above. > No matter it is active or passive open, the modem stateful will need to > open > the "hole" by listening to the control channel for "port" and "pasv" > comamnd. You lost me here. Since the passive open has the connection initiated by the client, there is no need for the firewall around the client to open a port based on listening to the control channel, right? > The hole is opened only on the firewall which is dealing the > control channel. If the data channel goes to another file, apparently this > will not work. I don't see why not. It's just another outgoing TCP connection. > FTP is just a classical example of this dynamic port problem that a > firewall > needs to deal with. For VoiP apps such H323 and SIP, similar problem > exists > as well and even severe. This is because the signalling channel and media > channel are totally different and destination are usually completely > different. > > > As a firewall/NAT/IDP company we've been struggling with these issues all > the time. It really adds lots of complexity to the system. I just don't > want > to get it worse in IPv6, if not better. > > Hope this makes sense to you. Not particularly. I'm still at the same point I was before where elaborating on what the exact scenario that fails is would help. Thanks, -Dave > Changming -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
