[111631] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Feb 9 17:48:25 2009
From: Owen DeLong <owen@delong.com>
To: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <op.uo3ulbnwtfhldh@rbeam.xactional.com>
Date: Mon, 9 Feb 2009 14:44:45 -0800
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Feb 9, 2009, at 2:11 PM, Ricky Beam wrote:
> On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk
> <stephen@sprunk.org> wrote:
>> Non-NAT firewalls do have some appeal, because they don't need to
>> mangle
>> the packets, just passively observe them and open pinholes when
>> appropriate.
>
> This is exactly the same with NAT and non-NAT -- making any anti-NAT
> arguments null.
>
And making the PRO-NAT arguments in this respect equally NULL.
This was being touted as a benefit of NAT, not a reason not to do NAT.
Your statement proves my point... It is NOT a reason to do NAT or a
benefit derived from NAT.
> In the case of NAT, the "helper" has to understand the protocol to
> know what traffic to map.
>
> In the case of a stateful firewalling ("non-NAT"), the "helper" has
> to understand the protocol to know what traffic to allow.
>
> Subtle difference, but in the end, the same thing... if your gateway
> doesn't know what you are doing, odds are it will interfere with
> it. In all cases, end-to-end transparency doesn't exist. (as has
> been the case for well over a decade.)
Right. This is the counterpoint to the argument that NAT is needed.
You have
now agreed that it is not.
Owen
