[111627] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Ricky Beam)
Mon Feb 9 17:11:44 2009
Date: Mon, 09 Feb 2009 17:11:25 -0500
To: "Stephen Sprunk" <stephen@sprunk.org>
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <498DE1AD.1000807@sprunk.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk <stephen@sprunk.org>
wrote:
> Non-NAT firewalls do have some appeal, because they don't need to mangle
> the packets, just passively observe them and open pinholes when
> appropriate.
This is exactly the same with NAT and non-NAT -- making any anti-NAT
arguments null.
In the case of NAT, the "helper" has to understand the protocol to know
what traffic to map.
In the case of a stateful firewalling ("non-NAT"), the "helper" has to
understand the protocol to know what traffic to allow.
Subtle difference, but in the end, the same thing... if your gateway
doesn't know what you are doing, odds are it will interfere with it. In
all cases, end-to-end transparency doesn't exist. (as has been the case
for well over a decade.)
--Ricky
