From: grahn+nntp@snipabacken.se
On Tue, 08 Sep 2009 09:08:26 -0400, Roy Smith wrote:
> In article
> ,
> David Schwartz wrote:
>
>> On the Internet, a lot of connections pass through firewalls and
>> transparent proxies that find it very hard to DTRT with half-open TCP
>> connections.
Ok. But note that at least some of the earlier discussion applied to
"fully open" TCP connections too -- ones which simply had no data
going in one of the directions.
> This is a specific case of the more general statement, "This which are not
> commonly used tend to be broken". Forget about firewalls, I wouldn't be
> surprised if you found kernels which can't handle simplex connections.
> It's just not something that's commonly done, so it doesn't get a lot of
> testing.
>
> We've found the same is true for TCP urgent (i.e. "out of band") data. I'm
> currently working on an application which depends on OOB data to implement
> keepalive messages. In theory, the design is fine. The problem is, we
> keep running into real-life examples of systems with broken
> implementations. Not to mention that the security world seems to have
> gotten into its head that urgent data is a security issue and we're seeing
> firewalls which are administratively configured to block any TCP packet
> with the urgent bit set.
>
> Bottom line: stick to the mainstream features, because they're more likely
> to work in the real world.
I won't argue against that ... but I note that there is another
way to think about it:
"Don't work around broken routers, IP stacks or muddy security
reasoning. Place the blame where it belongs, because otherwise pretty
soon we'll all have to use XML-RPC to port 80 for everything."
/Jorgen
--
// Jorgen Grahn O o .
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
