v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Mohacsi Janos mohacsi at niif.hu
Tue Feb 10 02:21:27 CST 2009


On Mon, 9 Feb 2009, Ricky Beam wrote:

> On Sat, 07 Feb 2009 14:31:57 -0500, Stephen Sprunk <stephen at sprunk.org> 
> wrote:
>> Non-NAT firewalls do have some appeal, because they don't need to mangle
>> the packets, just passively observe them and open pinholes when
>> appropriate.
>
> This is exactly the same with NAT and non-NAT -- making any anti-NAT 
> arguments null.
>
> In the case of NAT, the "helper" has to understand the protocol to know what 
> traffic to map.
>
> In the case of a stateful firewalling ("non-NAT"), the "helper" has to 
> understand the protocol to know what traffic to allow.
>
> Subtle difference, but in the end, the same thing... if your gateway doesn't 
> know what you are doing, odds are it will interfere with it.  In all cases, 
> end-to-end transparency doesn't exist. (as has been the case for well over a 
> decade.)


You arguments making any pro-NAT arguments null. You agree, that NAT and 
Stateful Packet Inspetion firewall doing similar things. Advantage of the 
SPI firewall is that you have to maintain only one forwarding/state table. 
While in NAT you have to maintain two table. Therefore SPI firewall is 
more scalable....

Regards,


Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882



>
> --Ricky
>




More information about the NANOG mailing list