v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Owen DeLong owen at delong.com
Mon Feb 9 22:44:45 UTC 2009


On Feb 9, 2009, at 2:11 PM, Ricky Beam wrote:

> On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk  
> <stephen at sprunk.org> wrote:
>> Non-NAT firewalls do have some appeal, because they don't need to  
>> mangle
>> the packets, just passively observe them and open pinholes when
>> appropriate.
>
> This is exactly the same with NAT and non-NAT -- making any anti-NAT  
> arguments null.
>
And making the PRO-NAT arguments in this respect equally NULL.

This was being touted as a benefit of NAT, not a reason not to do NAT.

Your statement proves my point... It is NOT a reason to do NAT or a
benefit derived from NAT.

> In the case of NAT, the "helper" has to understand the protocol to  
> know what traffic to map.
>
> In the case of a stateful firewalling ("non-NAT"), the "helper" has  
> to understand the protocol to know what traffic to allow.
>
> Subtle difference, but in the end, the same thing... if your gateway  
> doesn't know what you are doing, odds are it will interfere with  
> it.  In all cases, end-to-end transparency doesn't exist. (as has  
> been the case for well over a decade.)

Right.  This is the counterpoint to the argument that NAT is needed.   
You have
now agreed that it is not.

Owen





More information about the NANOG mailing list