Re: Application protocols and Address Translation

On måndag, dec 2, 2002, at 15:03 Europe/Stockholm, Brian E Carpenter 
wrote:

> One of the problems here is that whatever we do in the addressing
> architecture, somebody can come along and sell a NAT-v6 box with
> the same misleading arguments that we hear for NAT-v4, apart from
> one (shortage of address space).
>
> So the real challenge is: how can we make it more attractive to
> *not* buy a NAT box than to buy one. I believe that should be the
> focus of applications people.

Brian, I completely agree with this, and that's why I would like to 
have something which talk about the following:

- Security is handled by a firewall, not the NAT function
- Security is always in the form of some policy which someone want to 
apply to a path
- If the policy allow application FOO to pass the point where policy is 
applied, the application will only work as planned if there is _NO_ nat 
at that point

I.e. talk about security <> NAT and that NAT is bad for things which 
the policy allow.

Do you think that can help?

     paf

Received on Monday, 2 December 2002 11:30:51 UTC