On Jan 3, 2011, at 13:43, Fernando Gont wrote: > > From the POV of a firewall, unless it really wants a packet to pass-through, > it will block it.
That's an unwarranted assumption. Consider the "firewall" described in I-D.ietf-v6ops-cpe-simple-security, which is intended to block only unsolicited inbound traffic. Once residential gateways that implement IPv6 Simple Security are ubiquitous, it will not be practical to introduce any new extension headers that these firewall appliances do not recognize. If they can't parse past the new extension header to inspect the upper-layer transport header, then they can't record state that will allow packets for the *solicited* return path. In other words, they're still forwarded, but the return path they're meant to solicit cannot be recorded. -- james woodyatt <j...@apple.com> member of technical staff, communications engineering -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------