On Fri, 1 Sep 2000, Sean Doran wrote:

> Fixing that protocol wise is challenging, because you cannot initiate
> a conversation from the "outside" without being psychic or going out of 
> band.  

  The simple way to fix this is to never initiate a connection from the
server.  In the UDP case, require the client to send something from the
destination port first.  The translator then does port tranlation and can
always determine the destination.  If more then one connection or port is
needed, still have the client initiate the others and authenticate itself.
This allows networks that have no externally visible servers to completely
block all traffic that has not been initiated from the inside.  Keepalives
should be used when long delays are possible. 

  The result of sending a packet to the wrong host should never be
anything other then a terminated connection.  If this is not the case, the
protocol is broken.

Matthew Orgass
darkstar@pgh.net