W3C home > Mailing lists > Public > ietf-discuss@w3.org > December 2002

Re: Application protocols and Address Translation

From: Brian E Carpenter <brian@hursley.ibm.com>
Date: Tue, 03 Dec 2002 13:19:23 +0100
Message-Id: <3DECA14B.AA4E5A00@hursley.ibm.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: discuss@apps.ietf.org

Mark Nottingham wrote:
...
> 
> It's a start, but in many companies, the policy in place dictates that no
> external connections to internal addresses may be made. Furthermore, many
> companies use black-hole routing to control external access; i.e., they're
> using double-NAT on the gateways to completely isolate the networks'
> addressing, and force use of an intermediary in the DMZ for all traffic
> from the inside to out.

But there's a gross non-sequitur in this: NAT is irrelevant
to enforcing such a policy. You don't need NAT to black-hole
traffic; you just configure your routing accordingly, on both
sides of the DMZ. Plenty of companies protect their assets that
way.

There are lying salesmen who pretend otherwise. There are network
managers who fall for the lies and FUD.

  Brian
Received on Tuesday, 3 December 2002 07:20:39 EST

This archive was generated by hypermail pre-2.1.9 : Tuesday, 24 February 2004 19:46:24 EST