- From: Patrik Fältström <paf@cisco.com>
- Date: Mon, 2 Dec 2002 17:29:49 +0100
- To: Brian E Carpenter <brian@hursley.ibm.com>
- Cc: discuss@apps.ietf.org
On måndag, dec 2, 2002, at 15:03 Europe/Stockholm, Brian E Carpenter
wrote:
> One of the problems here is that whatever we do in the addressing
> architecture, somebody can come along and sell a NAT-v6 box with
> the same misleading arguments that we hear for NAT-v4, apart from
> one (shortage of address space).
>
> So the real challenge is: how can we make it more attractive to
> *not* buy a NAT box than to buy one. I believe that should be the
> focus of applications people.
Brian, I completely agree with this, and that's why I would like to
have something which talk about the following:
- Security is handled by a firewall, not the NAT function
- Security is always in the form of some policy which someone want to
apply to a path
- If the policy allow application FOO to pass the point where policy is
applied, the application will only work as planned if there is _NO_ nat
at that point
I.e. talk about security <> NAT and that NAT is bad for things which
the policy allow.
Do you think that can help?
paf
Received on Monday, 2 December 2002 11:30:51 UTC