v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Ricky Beam jfbeam at gmail.com
Mon Feb 9 16:11:25 CST 2009


On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk <stephen at sprunk.org>  
wrote:
> Non-NAT firewalls do have some appeal, because they don't need to mangle
> the packets, just passively observe them and open pinholes when
> appropriate.

This is exactly the same with NAT and non-NAT -- making any anti-NAT  
arguments null.

In the case of NAT, the "helper" has to understand the protocol to know  
what traffic to map.

In the case of a stateful firewalling ("non-NAT"), the "helper" has to  
understand the protocol to know what traffic to allow.

Subtle difference, but in the end, the same thing... if your gateway  
doesn't know what you are doing, odds are it will interfere with it.  In  
all cases, end-to-end transparency doesn't exist. (as has been the case  
for well over a decade.)

--Ricky




More information about the NANOG mailing list