From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 29 Apr 2010 16:42:45 -0700 From: Derek Fawcus To: Christopher Nielsen Message-ID: <20100429234245.GA87408@willers.employees.org> References: <5fa9fbfe115a9cd5a81d0feefe413192@quintile.net> <4fa1305e0f56a0ef89c2e05320fa5997@coraid.com> <43de5c2167c0a4851aeafaa07a0b982d@kw.quanstro.net> <816a521c149b06088f5023d3dfddf0ed@kw.quanstro.net> <28481.87344.qm@web1213.biz.mail.gq1.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Subject: Re: [9fans] A simple experiment Topicbox-Message-UUID: 142c1d78-ead6-11e9-9d60-3106f5b1d025 On Thu, Apr 29, 2010 at 01:32:23PM -0700, Christopher Nielsen wrote: > It doesn't play well with firewalls, NAT, or deep inspection because > none of the vendors have added support for it. I tried to get Cisco to > add IL support back in 2001, but they politely refused. Add support to what? Also what level of 'support'? IOS should already support IL in access lists simply by virtue of the fact that one can specify a numeric IP protocol. I agree that NAT and stateful firewalls (e.g. 'ip inspect' in IOS) would need explicit support to understand the packet layout. But one can always add exceptions to the firewall rules to allow IL through uninspected. Thats what I do on my IOS routers for oddball protocols. NAT - it should simply die, until then run IL over IPv6 and avoid NAT?