[89199] in North American Network Operators' Group
Re: shim6 @ NANOG
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Sun Mar 5 11:43:17 2006
Date: Sun, 05 Mar 2006 16:40:55 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to: <41B5A06D-4ECD-433D-B143-F72266909A75@muada.com>
To: North American Noise and Off-topic Gripes <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On Sun, 5 Mar 2006, Iljitsch van Beijnum wrote:
>
> Of course having a TCP session or the like change addresses halfway
> through the session may throw stateful firewalls a bit.
>
I just love that shim6 basically == natv6... It WILL be implemented as
such if available to folks in that manner. I do think there wiill be a
market for a 'firewall' that is really a shim6 box that 'nat's the
internal network behind a single prefix, this is going to be 'fun' (but
not in the good way).
Oh, not just stateful firewalls... How are you planning on dealing with
LEO requests for CALEA when the addr changes mid-stream to some newly
arbitrary prefix? What about log correlation on web/content servers? what
about loadbalancers that balance on 'flows' ? this is quite the
rabbit-hole dorothy jumped down :(